Safeguard
Tag

vulnerability-analysis

Safeguard articles tagged "vulnerability-analysis" — guides, analysis, and best practices for software supply chain and application security.

360 articles

Vulnerability Analysis

Log4j SocketServer unsafe deserialization (CVE-2019-17571)

A deep dive into CVE-2019-17571, the Log4j 1.x SocketServer deserialization flaw enabling remote code execution, with remediation guidance.

Dec 25, 20257 min read
Vulnerability Analysis

Jackson-databind gadget chain RCE (CVE-2019-12384)

CVE-2019-12384 lets attacker-controlled JSON trigger a jackson-databind gadget chain via Logback, turning polymorphic deserialization into remote code execution.

Dec 25, 20258 min read
Vulnerability Analysis

Jackson-databind RCE via JDOM gadget (CVE-2020-36189)

CVE-2020-36189 lets attackers chain jackson-databind polymorphic deserialization with a JDOM gadget for RCE, SSRF, or XXE. Here's the mechanics and the fix.

Dec 25, 20257 min read
Vulnerability Analysis

dom4j XML external entity vulnerability (CVE-2018-1000632)

CVE-2018-1000632, the dom4j XXE vulnerability, let attackers inject and tamper with XML via unescaped addElement/addAttribute calls. Here's the fix.

Dec 24, 20258 min read
Vulnerability Analysis

CVE analysis: vulnerabilities in Open RAN and 5G core net...

An open RAN 5G core CVE analysis of the 5Ghoul modem flaws: affected components, CVSS/EPSS/KEV context, disclosure timeline, and practical remediation steps.

Dec 24, 20258 min read
Vulnerability Analysis

Apache Commons FileUpload RCE (CVE-2016-1000031)

CVE-2016-1000031 is a critical Apache Commons FileUpload deserialization RCE that still lurks in transitive Java dependencies years after its fix.

Dec 24, 20257 min read
Vulnerability Analysis

H2 database console remote code execution (CVE-2021-42392)

CVE-2021-42392 lets attackers trigger RCE in H2's console and JDBC URL handling via a Log4Shell-style JNDI gadget. Here's what's affected and how to fix it.

Dec 24, 20257 min read
Vulnerability Analysis

Spring Cloud Function SpEL injection RCE (CVE-2022-22963)

CVE-2022-22963 lets attackers RCE unpatched Spring Cloud Function apps via one SpEL header. CVSS 9.8. Here's the fix, fast.

Dec 24, 20258 min read
Vulnerability Analysis

Spring Cloud Gateway actuator RCE (CVE-2022-22947)

A critical SpEL injection flaw in Spring Cloud Gateway's actuator API let unauthenticated attackers run code. Here's the impact, timeline, and fixes.

Dec 23, 20257 min read
Vulnerability Analysis

Apache Shiro remember-me cookie deserialization RCE (CVE-2016-4437)

Apache Shiro's default rememberMe cipher key enables unauthenticated Java deserialization RCE. Here's how CVE-2016-4437 works and how to fix it.

Dec 23, 20258 min read
Vulnerability Analysis

Jetty SSL buffer bloat denial of service (CVE-2021-28165)

CVE-2021-28165 lets attackers exhaust Jetty server memory via SSL buffer bloat, causing denial of service. Affected versions, timeline, and fixes inside.

Dec 23, 20257 min read
Vulnerability Analysis

Spring Security authorization rule bypass (CVE-2023-34035)

CVE-2023-34035 lets Spring Security's requestMatchers() silently mis-evaluate authorization rules in multi-servlet apps. Here's the fix and how to detect exposure.

Dec 23, 20258 min read
vulnerability-analysis (Page 17) — Safeguard Blog