vulnerability-analysis
Safeguard articles tagged "vulnerability-analysis" — guides, analysis, and best practices for software supply chain and application security.
360 articles
Log4j SocketServer unsafe deserialization (CVE-2019-17571)
A deep dive into CVE-2019-17571, the Log4j 1.x SocketServer deserialization flaw enabling remote code execution, with remediation guidance.
Jackson-databind gadget chain RCE (CVE-2019-12384)
CVE-2019-12384 lets attacker-controlled JSON trigger a jackson-databind gadget chain via Logback, turning polymorphic deserialization into remote code execution.
Jackson-databind RCE via JDOM gadget (CVE-2020-36189)
CVE-2020-36189 lets attackers chain jackson-databind polymorphic deserialization with a JDOM gadget for RCE, SSRF, or XXE. Here's the mechanics and the fix.
dom4j XML external entity vulnerability (CVE-2018-1000632)
CVE-2018-1000632, the dom4j XXE vulnerability, let attackers inject and tamper with XML via unescaped addElement/addAttribute calls. Here's the fix.
CVE analysis: vulnerabilities in Open RAN and 5G core net...
An open RAN 5G core CVE analysis of the 5Ghoul modem flaws: affected components, CVSS/EPSS/KEV context, disclosure timeline, and practical remediation steps.
Apache Commons FileUpload RCE (CVE-2016-1000031)
CVE-2016-1000031 is a critical Apache Commons FileUpload deserialization RCE that still lurks in transitive Java dependencies years after its fix.
H2 database console remote code execution (CVE-2021-42392)
CVE-2021-42392 lets attackers trigger RCE in H2's console and JDBC URL handling via a Log4Shell-style JNDI gadget. Here's what's affected and how to fix it.
Spring Cloud Function SpEL injection RCE (CVE-2022-22963)
CVE-2022-22963 lets attackers RCE unpatched Spring Cloud Function apps via one SpEL header. CVSS 9.8. Here's the fix, fast.
Spring Cloud Gateway actuator RCE (CVE-2022-22947)
A critical SpEL injection flaw in Spring Cloud Gateway's actuator API let unauthenticated attackers run code. Here's the impact, timeline, and fixes.
Apache Shiro remember-me cookie deserialization RCE (CVE-2016-4437)
Apache Shiro's default rememberMe cipher key enables unauthenticated Java deserialization RCE. Here's how CVE-2016-4437 works and how to fix it.
Jetty SSL buffer bloat denial of service (CVE-2021-28165)
CVE-2021-28165 lets attackers exhaust Jetty server memory via SSL buffer bloat, causing denial of service. Affected versions, timeline, and fixes inside.
Spring Security authorization rule bypass (CVE-2023-34035)
CVE-2023-34035 lets Spring Security's requestMatchers() silently mis-evaluate authorization rules in multi-servlet apps. Here's the fix and how to detect exposure.