Safeguard
Tag

supply-chain-security

Safeguard articles tagged "supply-chain-security" — guides, analysis, and best practices for software supply chain and application security.

1045 articles

Vulnerability Analysis

CVE-2020-26137: CRLF injection in urllib3 header handling

CVE-2020-26137 let attackers inject CRLF sequences into urllib3-built HTTP requests. Here's the impact, affected versions, and how to remediate it.

Oct 7, 20257 min read
Vulnerability Analysis

CVE-2017-18342: Arbitrary code execution via PyYAML yaml....

CVE-2017-18342 lets attackers achieve remote code execution via PyYAML's yaml.load(), which deserialized untrusted YAML into live Python objects by default.

Oct 6, 20258 min read
Vulnerability Analysis

CVE-2020-1747: PyYAML full_load still allows code execution

CVE-2020-1747 shows PyYAML's FullLoader and full_load() could still trigger arbitrary code execution on untrusted YAML before 5.3.1. Here's the full breakdown.

Oct 6, 20258 min read
Vulnerability Analysis

CVE-2022-22817: Arbitrary code execution in Pillow via Im...

CVE-2022-22817 lets attackers achieve arbitrary code execution via Pillow's ImageMath.eval() when environment data is attacker-controlled. Patch to 9.0.1+.

Oct 6, 20258 min read
Application Security

CVE-2021-25287: Buffer overflow in Pillow SGI decoder

A heap buffer overflow in Pillow's SGI image decoder (CVE-2021-25287) let crafted images corrupt memory. Here's the impact, fix, and remediation guidance.

Oct 5, 20258 min read
Vulnerability Analysis

CVE-2020-35654: Buffer over-read in Pillow PCX decoder

A buffer over-read in Pillow's PCX decoder (CVE-2020-35654) could crash image-processing services on crafted files. Here's the fix and detection guidance.

Oct 5, 20257 min read
Vulnerability Analysis

CVE-2023-50782: Bleichenbacher timing oracle in python-cr...

CVE-2023-50782 exposes a Bleichenbacher-style timing oracle in python-cryptography's RSA PKCS1v15 decryption, letting attackers recover plaintext.

Oct 4, 20257 min read
Vulnerability Analysis

CVE-2023-30861: Flask session cookie disclosure to templates

CVE-2023-30861 lets caching proxies leak Flask session cookies between users when responses aren't marked Vary: Cookie. Here's who's affected and how to fix it.

Oct 4, 20258 min read
Vulnerability Analysis

CVE-2023-25577: Denial of service in Werkzeug multipart p...

CVE-2023-25577 lets attackers trigger denial of service in Werkzeug's multipart parser via crafted uploads. Here's the impact, timeline, and fix.

Oct 3, 20257 min read
Vulnerability Analysis

CVE-2020-10108: Cross-protocol scripting in Twisted

CVE-2020-10108 lets a malicious server abuse Twisted's redirect handling for cross-protocol scripting. Affected versions, risk context, and fixes inside.

Oct 3, 20258 min read
Vulnerability Analysis

CVE-2020-10109: Denial of service in Twisted via 100-cont...

CVE-2020-10109 lets attackers hang Twisted's HTTP server with malformed 100-continue requests, exhausting resources until it stops responding.

Oct 3, 20257 min read
Vulnerability Analysis

CVE-2021-43818: XSS bypass in lxml Cleaner

CVE-2021-43818 shows how crafted SVG markup could slip past lxml's Cleaner sanitizer and execute script in supposedly 'cleaned' HTML output.

Oct 2, 20258 min read
supply-chain-security (Page 74) — Safeguard Blog