vulnerability-analysis
Safeguard articles tagged "vulnerability-analysis" — guides, analysis, and best practices for software supply chain and application security.
360 articles
Text4Shell Apache Commons Text RCE (CVE-2022-42889)
A deep dive into CVE-2022-42889 (Text4Shell): the Apache Commons Text RCE, its narrower real-world exploitability versus Log4Shell, and how to remediate it.
Trojan Source Unicode bidi-override attack (CVE-2021-42574)
CVE-2021-42574 (Trojan Source) lets Unicode bidi control characters hide malicious logic in plain sight during code review. Here's the full breakdown and fix.
OpenSSL punycode buffer overflow pair (CVE-2022-3602 / CVE-2022-3786)
A deep dive into CVE-2022-3602 and CVE-2022-3786, the OpenSSL punycode buffer overflow pair once dubbed "Heartbleed 2.0" — impact, timeline, and fixes.
Outlook NTLM hash leak zero-day (CVE-2023-23397)
A zero-click Outlook flaw let attackers steal NTLM hashes via crafted calendar reminders — exploited by APT28 for a year before patching. Here's what to do.
MOVEit Transfer SQL injection mass-exploitation (CVE-2023-34362)
CVE-2023-34362, the MOVEit Transfer SQL injection exploited by Cl0p, hit 2,600+ organizations. Impact, timeline, and remediation steps inside.
Apache OFBiz CVE-2024-38856 Pre-Auth RCE Analysis
CVE-2024-38856 is an unauthenticated RCE in Apache OFBiz that bypasses authentication via screen rendering. Exploit chain, detection, and patching.
lodash prototype pollution via zipObjectDeep (CVE-2020-8203)
CVE-2020-8203 lets attackers pollute Object.prototype via lodash's zipObjectDeep. Learn affected versions, CVSS/EPSS context, and remediation steps.
lodash defaultsDeep prototype pollution (CVE-2019-10744)
A critical prototype pollution flaw in lodash's defaultsDeep (CVE-2019-10744) lets attackers corrupt Object.prototype. Here's the impact and how to fix it.
lodash template code injection (CVE-2021-23337)
CVE-2021-23337 lets attackers inject code via lodash's template function. Here's the impact, affected versions, CVSS/EPSS context, and how to remediate it.
Alibaba fastjson deserialization RCE (CVE-2022-25845)
A critical AutoType-bypass RCE in Alibaba fastjson (CVSS 9.8, EPSS ~99th pct) hits any app parsing untrusted JSON. Here's how to detect and fix it.
Struts2 REST plugin XStream deserialization RCE (CVE-2017-9805)
CVE-2017-9805 lets attackers RCE Struts2 REST APIs via unsafe XStream XML deserialization. Learn impact, affected versions, and remediation steps.
Apache Commons Collections deserialization gadget RCE (CVE-2015-7501)
A decade-old Apache Commons Collections deserialization gadget chain still enables unauthenticated RCE across legacy Java middleware. Here's how to find and fix it.