supply-chain-security
Safeguard articles tagged "supply-chain-security" — guides, analysis, and best practices for software supply chain and application security.
1045 articles
CVE-2023-48795: Terrapin attack affecting paramiko SSH ex...
The Terrapin attack (CVE-2023-48795) lets on-path attackers truncate SSH extension negotiation, downgrading security in paramiko and other SSH implementations.
CVE-2020-11651: Authentication bypass in SaltStack salt-m...
CVE-2020-11651, a critical CVSS 9.8 authentication bypass in SaltStack's salt-master, enabled unauthenticated RCE and fueled real-world attacks on LineageOS, Ghost, and DigiCert.
CVE-2020-11652: Directory traversal in SaltStack salt-master
CVE-2020-11652 lets remote attackers read files outside SaltStack file_roots via a salt-master directory traversal flaw. Impact, timeline, and fixes inside.
SCA Scanning: What It Catches in Practice
SCA scanning finds known CVEs in your open-source dependencies and license conflicts you didn't know you'd agreed to — here's exactly what a scan catches, in order of how often it actually matters.
CVE-2019-12814: Jackson-databind polymorphic type gadget ...
A look at CVE-2019-12814, a jackson-databind polymorphic typing gadget tied to JAXB classes, its risk profile, and how to remediate it in modern Java stacks.
CVE-2019-14379: Jackson-databind deserialization via jdk....
CVE-2019-14379 lets attackers abuse jackson-databind's polymorphic deserialization via a JDK Nashorn gadget class. Here's the risk, fix, and detection guidance.
CVE-2019-14540: Jackson-databind blacklist bypass via c3p...
CVE-2019-14540 lets attackers bypass jackson-databind's deserialization blacklist via c3p0 classes to achieve RCE. Here's what's affected, the timeline, and how to remediate.
CVE-2019-16335: Jackson-databind gadget via jackson-dataf...
CVE-2019-16335 is a jackson-databind polymorphic deserialization flaw tied to jackson-dataformat-cbor, fixed in 2.9.10. Here's the impact, timeline, and fix.
CVE-2020-1938 (Ghostcat): File inclusion via Apache Tomca...
Ghostcat (CVE-2020-1938) let attackers read files—and often achieve RCE—via Tomcat's default, unauthenticated AJP connector. Here's the risk, fix, and KEV context.
CVE-2019-0232: Remote code execution in Apache Tomcat CGI...
CVE-2019-0232 lets attackers execute arbitrary commands on Windows-hosted Apache Tomcat via the CGI Servlet. Here's the CVSS 9.8 detail, affected versions, and fixes.
CVE-2016-1000027: Remote code execution via Spring HttpIn...
A decade-old flaw in Spring's HttpInvokerServiceExporter enables unauthenticated RCE via Java deserialization. Severity, timeline, and remediation for CVE-2016-1000027.
CVE-2021-26701: Remote code execution in .NET Core
CVE-2021-26701 is a 2021 .NET Core remote code execution flaw tied to text encoding. Here's what was affected, how it was patched, and how to stay protected.