Safeguard
Tag

vulnerability-analysis

Safeguard articles tagged "vulnerability-analysis" — guides, analysis, and best practices for software supply chain and application security.

360 articles

Vulnerability Analysis

CVE-2022-34265: SQL injection via Trunc/Extract database ...

A technical breakdown of CVE-2022-34265, the Django SQL injection flaw in Trunc() and Extract(), covering affected versions, risk, and remediation steps.

Oct 8, 20257 min read
Vulnerability Analysis

CVE-2018-6188: User enumeration in Django password reset

A timing difference in Django password resets let attackers confirm valid emails via response latency. CVE-2018-6188 impact, fix versions, and remediation.

Oct 8, 20258 min read
Vulnerability Analysis

CVE-2018-18074: requests library leaks Authorization head...

The Python requests library leaked Authorization headers on same-host HTTPS-to-HTTP redirects, exposing credentials to sniffing before v2.20.0.

Oct 7, 20258 min read
Vulnerability Analysis

CVE-2023-32681: requests leaks Proxy-Authorization on red...

A malicious proxy could capture Proxy-Authorization credentials from Python's requests library when redirects crossed to HTTPS, before v2.31.0.

Oct 7, 20258 min read
Vulnerability Analysis

CVE-2020-1747: PyYAML full_load still allows code execution

CVE-2020-1747 shows PyYAML's FullLoader and full_load() could still trigger arbitrary code execution on untrusted YAML before 5.3.1. Here's the full breakdown.

Oct 6, 20258 min read
Vulnerability Analysis

CVE-2020-14343: PyYAML arbitrary code execution via pytho...

CVE-2020-14343 lets attackers run arbitrary code via PyYAML's python/object/new tag, bypassing an earlier FullLoader fix. Versions, CVSS, and remediation inside.

Oct 6, 20257 min read
Vulnerability Analysis

CVE-2022-22817: Arbitrary code execution in Pillow via Im...

CVE-2022-22817 lets attackers achieve arbitrary code execution via Pillow's ImageMath.eval() when environment data is attacker-controlled. Patch to 9.0.1+.

Oct 6, 20258 min read
Vulnerability Analysis

CVE-2020-35654: Buffer over-read in Pillow PCX decoder

A buffer over-read in Pillow's PCX decoder (CVE-2020-35654) could crash image-processing services on crafted files. Here's the fix and detection guidance.

Oct 5, 20257 min read
Vulnerability Analysis

CVE-2020-35655: Decompression bomb DoS in Pillow

A crafted image file could force Pillow to over-allocate memory, causing denial of service. Here's what CVE-2020-35655 affects, its severity, and how to remediate it.

Oct 5, 20257 min read
Vulnerability Analysis

CVE-2023-50447: Arbitrary code execution via Pillow Image...

A patch bypass in Pillow's ImageMath.eval() reopens arbitrary code execution first flagged in CVE-2022-22817. Here's what changed and how to remediate it.

Oct 4, 20258 min read
Vulnerability Analysis

CVE-2023-49083: NULL pointer dereference in python-crypto...

A NULL pointer dereference in python-cryptography's PKCS7 loader (CVE-2023-49083) lets malformed input crash applications. Here's what to patch and why.

Oct 4, 20256 min read
Vulnerability Analysis

CVE-2023-50782: Bleichenbacher timing oracle in python-cr...

CVE-2023-50782 exposes a Bleichenbacher-style timing oracle in python-cryptography's RSA PKCS1v15 decryption, letting attackers recover plaintext.

Oct 4, 20257 min read
vulnerability-analysis (Page 27) — Safeguard Blog