vulnerability-analysis
Safeguard articles tagged "vulnerability-analysis" — guides, analysis, and best practices for software supply chain and application security.
360 articles
Kubernetes Python client aggregated API vulnerability (CVE-2022-3172)
CVE-2022-3172 lets a rogue aggregated API backend redirect authenticated Kubernetes API traffic, exposing Python client apps to credential theft.
Django str.format denial of service (CVE-2023-41164)
CVE-2023-41164 lets attackers DoS Django apps via a str.format() flaw in uri_to_iri(). Here's what's affected, severity context, and how to fix it.
Django admin ChangeList path traversal (CVE-2021-33203)
CVE-2021-33203 is a staff-only path traversal in Django's admindocs TemplateDetailView. Here's what's affected, its CVSS/EPSS profile, and how to remediate it.
Django QuerySet.explain SQL injection (CVE-2022-28346)
A Django ORM flaw let unvalidated input reach EXPLAIN and annotate() SQL generation. Here's the CVE-2022-28347 impact, fix, and defense playbook.
Django GIS SQL injection (CVE-2020-9402)
CVE-2020-9402 lets attackers inject SQL via Django GIS's tolerance parameter on Oracle. Versions, CVSS/EPSS data, timeline, and fixes inside.
Flask session cookie information disclosure (CVE-2023-30861)
A missing Vary: Cookie header in Flask session handling let shared caches leak one user's session cookie to another. Here's how to detect and fix it.
Werkzeug multipart form-data denial of service (CVE-2019-1010083)
CVE-2019-1010083 lets attackers crash Flask apps via crafted multipart form-data. Here's the CVSS score, timeline, and how to fix the Werkzeug DoS flaw.
Werkzeug multipart parser DoS (CVE-2023-46136)
A crafted multipart upload could pin Werkzeug workers at 100% CPU with no auth required. Here's what CVE-2023-46136 affects and how to fix it.
Jinja2 sandbox escape (CVE-2022-29361)
CVE-2022-29361 lets attackers bypass Jinja2's SandboxedEnvironment via str.format, reaching unsafe attributes and risking RCE in untrusted-template apps.
CVE analysis: nation-state supply chain attacks on defens...
CVE analysis of nation-state supply chain attacks on defense contractors: SolarWinds SUNBURST and Ivanti Connect Secure exploitation, CVSS, KEV, and fixes.
Jinja2 xmlattr filter XSS (CVE-2024-22195)
CVE-2024-22195 lets attacker-controlled dict keys bypass Jinja2's xmlattr escaping for XSS. Learn affected versions, CVSS/EPSS context, and fixes.
Sentry SDK sensitive data exposure (CVE-2021-23727)
CVE-2021-23727 let sentry-sdk for Python leak OS environment variables into Sentry events, exposing secrets. Here's the impact, timeline, and fix.