vulnerability-analysis
Safeguard articles tagged "vulnerability-analysis" — guides, analysis, and best practices for software supply chain and application security.
360 articles
CVE-2024-21626: runc process.cwd Container Breakout Deep ...
A technical breakdown of CVE-2024-21626, the runc process.cwd() flaw enabling container breakout to host access, with detection and remediation guidance.
Log4Shell (CVE-2021-44228) Deep Dive: JNDI Injection in L...
Log4Shell (CVE-2021-44228) let attackers achieve remote code execution via a single logged string. A deep dive into the JNDI flaw, its impact, and remediation.
Spring4Shell (CVE-2022-22965) Deep Dive: RCE via Data Bin...
A technical breakdown of Spring4Shell (CVE-2022-22965): the data-binding RCE, affected Spring/Tomcat configurations, severity, timeline, and how to remediate and detect exposure.
What Is OSV (Open Source Vulnerabilities)?
OSV is an open, ecosystem-native vulnerability database that expresses affected versions in precise, machine-matchable ranges. Here is how it works and why scanners rely on it.
Secure Random Number Generation in PHP with random_bytes
PHP's mt_rand() has a 32-bit seed space attackers can crack in seconds. Here's why random_bytes() and random_int() replaced it in PHP 7.0, and how weak randomness still causes breaches.
CVE-2018-16487: Prototype pollution in lodash via merge/m...
CVE-2018-16487 let attackers pollute Object.prototype through lodash's merge, mergeWith, and defaultsDeep — a bypass of an earlier fix, patched in 4.17.11.
CVE-2019-11358: Prototype pollution in jQuery $.extend
CVE-2019-11358 lets attackers pollute Object.prototype via jQuery's $.extend() deep merge. Here's the impact, affected versions, and how to fix it.
CVE-2020-11022: XSS in jQuery via htmlPrefilter
CVE-2020-11022 lets attacker-controlled HTML bypass sanitization via jQuery's htmlPrefilter, enabling XSS in versions before 3.5.0. Impact, timeline, and fixes.
CVE-2020-11023: XSS in jQuery option/script tag handling
CVE-2020-11023 let untrusted HTML with option tags bypass sanitization in jQuery's DOM methods, enabling XSS. Here's the fix, timeline, and remediation.
CVE-2015-9251: jQuery cross-domain AJAX XSS
CVE-2015-9251 lets attackers exploit jQuery's cross-domain AJAX handling to run arbitrary script. Learn affected versions, risk context, and fixes.
CVE-2020-7729: Command injection in node-notifier
CVE-2020-7729 lets attacker-influenced input reach node-notifier's OS notifier calls, enabling command injection. Here's the impact, timeline, and fix.
CVE-2021-23343: ReDoS in path-parse
CVE-2021-23343 is a ReDoS vulnerability in path-parse before 1.0.7 that lets crafted path strings stall Node.js apps. Here's how it works and how to fix it.