vulnerability-analysis
Safeguard articles tagged "vulnerability-analysis" — guides, analysis, and best practices for software supply chain and application security.
360 articles
Spring Security OAuth2 client vulnerability (CVE-2022-31690)
CVE-2022-31690 in Spring Security's OAuth2 client can let one principal obtain another's token. Here's the impact, CVSS/EPSS context, and how to remediate.
Apache Solr XXE remote code execution (CVE-2017-12629)
CVE-2017-12629 chains XXE and Solr's RunExecutableListener into unauthenticated RCE. Affected versions, timeline, and concrete remediation steps.
CVE analysis: vulnerabilities in SCADA and industrial con...
A SCADA industrial control CVE analysis of CVE-2018-8872, the Triconex Tricon flaw behind the TRITON safety-system attack — affected versions, CVSS context, timeline, and remediation.
Docker Engine crafted image denial of service (CVE-2021-21285)
CVE-2021-21285 lets a crafted container image crash Docker Engine before 20.10.3. Affected versions, severity, timeline, and remediation steps.
Docker Engine remap-root UID mapping vulnerability (CVE-2021-21284)
CVE-2021-21284 let remapped-root containers escalate to real host root, defeating Docker's userns-remap isolation. Here's the full breakdown and fix.
What is prototype pollution and why it keeps recurring in npm packages
Prototype pollution has hit lodash, jQuery, minimist, hoek, and immer since 2018. Here's how the bug works and why it keeps coming back in npm.
Path traversal vulnerabilities explained with real-world examples
Path traversal (CWE-22) has powered CVEs from Apache to Citrix to F5. Here's how it works, real breaches, and how to stop it.
Server-Side Request Forgery (SSRF): how it works and how to prevent it
SSRF turns a server into an attacker's proxy into your internal network. Here's how it works, what Capital One's breach taught the industry, and how to stop it.
Cross-site scripting (XSS) explained for developers
XSS has topped vulnerability lists for two decades. Here's how reflected, stored, and DOM-based XSS actually work, real incidents, and how to fix them.
SQL injection: a complete developer's guide
A developer's guide to SQL injection: how it works, why CWE-89 still ranks in MITRE's Top 25, real breaches, and how to detect and fix it.
OS command injection explained
OS command injection lets attackers run arbitrary shell commands via unsanitized input. See how it works, real CVEs like PAN-OS 2024, and fixes.
Insecure deserialization vulnerabilities explained
Insecure deserialization vulnerabilities let attackers turn trusted classes into gadget chains for RCE. See real CVEs, affected languages, and fixes.