Safeguard
Tag

supply-chain-security

Safeguard articles tagged "supply-chain-security" — guides, analysis, and best practices for software supply chain and application security.

1045 articles

Vulnerability Analysis

CVE-2023-48795: Terrapin attack affecting paramiko SSH ex...

The Terrapin attack (CVE-2023-48795) lets on-path attackers truncate SSH extension negotiation, downgrading security in paramiko and other SSH implementations.

Oct 2, 20258 min read
Vulnerability Analysis

CVE-2020-11651: Authentication bypass in SaltStack salt-m...

CVE-2020-11651, a critical CVSS 9.8 authentication bypass in SaltStack's salt-master, enabled unauthenticated RCE and fueled real-world attacks on LineageOS, Ghost, and DigiCert.

Oct 1, 20258 min read
Vulnerability Analysis

CVE-2020-11652: Directory traversal in SaltStack salt-master

CVE-2020-11652 lets remote attackers read files outside SaltStack file_roots via a salt-master directory traversal flaw. Impact, timeline, and fixes inside.

Oct 1, 20258 min read
Supply Chain

SCA Scanning: What It Catches in Practice

SCA scanning finds known CVEs in your open-source dependencies and license conflicts you didn't know you'd agreed to — here's exactly what a scan catches, in order of how often it actually matters.

Sep 30, 20255 min read
Vulnerability Analysis

CVE-2019-12814: Jackson-databind polymorphic type gadget ...

A look at CVE-2019-12814, a jackson-databind polymorphic typing gadget tied to JAXB classes, its risk profile, and how to remediate it in modern Java stacks.

Sep 30, 20257 min read
Vulnerability Analysis

CVE-2019-14379: Jackson-databind deserialization via jdk....

CVE-2019-14379 lets attackers abuse jackson-databind's polymorphic deserialization via a JDK Nashorn gadget class. Here's the risk, fix, and detection guidance.

Sep 29, 20257 min read
Vulnerability Analysis

CVE-2019-14540: Jackson-databind blacklist bypass via c3p...

CVE-2019-14540 lets attackers bypass jackson-databind's deserialization blacklist via c3p0 classes to achieve RCE. Here's what's affected, the timeline, and how to remediate.

Sep 29, 20257 min read
Vulnerability Analysis

CVE-2019-16335: Jackson-databind gadget via jackson-dataf...

CVE-2019-16335 is a jackson-databind polymorphic deserialization flaw tied to jackson-dataformat-cbor, fixed in 2.9.10. Here's the impact, timeline, and fix.

Sep 29, 20257 min read
Vulnerability Analysis

CVE-2020-1938 (Ghostcat): File inclusion via Apache Tomca...

Ghostcat (CVE-2020-1938) let attackers read files—and often achieve RCE—via Tomcat's default, unauthenticated AJP connector. Here's the risk, fix, and KEV context.

Sep 24, 20257 min read
Vulnerability Analysis

CVE-2019-0232: Remote code execution in Apache Tomcat CGI...

CVE-2019-0232 lets attackers execute arbitrary commands on Windows-hosted Apache Tomcat via the CGI Servlet. Here's the CVSS 9.8 detail, affected versions, and fixes.

Sep 24, 20258 min read
Vulnerability Analysis

CVE-2016-1000027: Remote code execution via Spring HttpIn...

A decade-old flaw in Spring's HttpInvokerServiceExporter enables unauthenticated RCE via Java deserialization. Severity, timeline, and remediation for CVE-2016-1000027.

Sep 22, 20257 min read
Vulnerability Analysis

CVE-2021-26701: Remote code execution in .NET Core

CVE-2021-26701 is a 2021 .NET Core remote code execution flaw tied to text encoding. Here's what was affected, how it was patched, and how to stay protected.

Sep 19, 20257 min read
supply-chain-security (Page 75) — Safeguard Blog