Safeguard
Tag

vulnerability-analysis

Safeguard articles tagged "vulnerability-analysis" — guides, analysis, and best practices for software supply chain and application security.

360 articles

Vulnerability Analysis

CVE-2023-30861: Flask session cookie disclosure to templates

CVE-2023-30861 lets caching proxies leak Flask session cookies between users when responses aren't marked Vary: Cookie. Here's who's affected and how to fix it.

Oct 4, 20258 min read
Vulnerability Analysis

CVE-2023-25577: Denial of service in Werkzeug multipart p...

CVE-2023-25577 lets attackers trigger denial of service in Werkzeug's multipart parser via crafted uploads. Here's the impact, timeline, and fix.

Oct 3, 20257 min read
Vulnerability Analysis

CVE-2020-10108: Cross-protocol scripting in Twisted

CVE-2020-10108 lets a malicious server abuse Twisted's redirect handling for cross-protocol scripting. Affected versions, risk context, and fixes inside.

Oct 3, 20258 min read
Vulnerability Analysis

CVE-2020-10109: Denial of service in Twisted via 100-cont...

CVE-2020-10109 lets attackers hang Twisted's HTTP server with malformed 100-continue requests, exhausting resources until it stops responding.

Oct 3, 20257 min read
Vulnerability Analysis

CVE-2018-7750: Authentication bypass in paramiko SSH serv...

CVE-2018-7750 lets attackers bypass authentication on Paramiko SSH servers using interactive auth by forging a success message. Impact, timeline, and fixes inside.

Oct 2, 20258 min read
Vulnerability Analysis

CVE-2023-48795: Terrapin attack affecting paramiko SSH ex...

The Terrapin attack (CVE-2023-48795) lets on-path attackers truncate SSH extension negotiation, downgrading security in paramiko and other SSH implementations.

Oct 2, 20258 min read
Vulnerability Analysis

CVE-2020-11652: Directory traversal in SaltStack salt-master

CVE-2020-11652 lets remote attackers read files outside SaltStack file_roots via a salt-master directory traversal flaw. Impact, timeline, and fixes inside.

Oct 1, 20258 min read
Vulnerability Analysis

CVE-2018-11776: Remote code execution in Apache Struts2 v...

CVE-2018-11776 lets attackers achieve unauthenticated RCE in Apache Struts2 via crafted namespace/OGNL injection. Affected versions, timeline, and fixes.

Oct 1, 20257 min read
Vulnerability Analysis

CVE-2019-0230: OGNL remote code execution in Apache Struts2

CVE-2019-0230 lets attackers chain forced double OGNL evaluation in Struts2 tag attributes into remote code execution. Here's what's affected, the CVSS/EPSS context, and how to remediate it.

Oct 1, 20258 min read
Concepts

What Is the NVD (National Vulnerability Database)?

The NVD is the U.S. government's enrichment layer on top of the CVE List, adding CVSS scores, CWE classifications, and affected-configuration data. Here is how it works and where it falls short.

Sep 30, 20256 min read
Vulnerability Analysis

CVE-2019-12384: Polymorphic deserialization gadget in Jac...

CVE-2019-12384 is a Jackson-databind polymorphic deserialization gadget flaw via Ehcache's transaction manager class, patched in 2.9.9.1.

Sep 30, 20257 min read
Vulnerability Analysis

CVE-2019-12814: Jackson-databind polymorphic type gadget ...

A look at CVE-2019-12814, a jackson-databind polymorphic typing gadget tied to JAXB classes, its risk profile, and how to remediate it in modern Java stacks.

Sep 30, 20257 min read
vulnerability-analysis (Page 28) — Safeguard Blog