vulnerability-analysis
Safeguard articles tagged "vulnerability-analysis" — guides, analysis, and best practices for software supply chain and application security.
360 articles
CVE-2023-30861: Flask session cookie disclosure to templates
CVE-2023-30861 lets caching proxies leak Flask session cookies between users when responses aren't marked Vary: Cookie. Here's who's affected and how to fix it.
CVE-2023-25577: Denial of service in Werkzeug multipart p...
CVE-2023-25577 lets attackers trigger denial of service in Werkzeug's multipart parser via crafted uploads. Here's the impact, timeline, and fix.
CVE-2020-10108: Cross-protocol scripting in Twisted
CVE-2020-10108 lets a malicious server abuse Twisted's redirect handling for cross-protocol scripting. Affected versions, risk context, and fixes inside.
CVE-2020-10109: Denial of service in Twisted via 100-cont...
CVE-2020-10109 lets attackers hang Twisted's HTTP server with malformed 100-continue requests, exhausting resources until it stops responding.
CVE-2018-7750: Authentication bypass in paramiko SSH serv...
CVE-2018-7750 lets attackers bypass authentication on Paramiko SSH servers using interactive auth by forging a success message. Impact, timeline, and fixes inside.
CVE-2023-48795: Terrapin attack affecting paramiko SSH ex...
The Terrapin attack (CVE-2023-48795) lets on-path attackers truncate SSH extension negotiation, downgrading security in paramiko and other SSH implementations.
CVE-2020-11652: Directory traversal in SaltStack salt-master
CVE-2020-11652 lets remote attackers read files outside SaltStack file_roots via a salt-master directory traversal flaw. Impact, timeline, and fixes inside.
CVE-2018-11776: Remote code execution in Apache Struts2 v...
CVE-2018-11776 lets attackers achieve unauthenticated RCE in Apache Struts2 via crafted namespace/OGNL injection. Affected versions, timeline, and fixes.
CVE-2019-0230: OGNL remote code execution in Apache Struts2
CVE-2019-0230 lets attackers chain forced double OGNL evaluation in Struts2 tag attributes into remote code execution. Here's what's affected, the CVSS/EPSS context, and how to remediate it.
What Is the NVD (National Vulnerability Database)?
The NVD is the U.S. government's enrichment layer on top of the CVE List, adding CVSS scores, CWE classifications, and affected-configuration data. Here is how it works and where it falls short.
CVE-2019-12384: Polymorphic deserialization gadget in Jac...
CVE-2019-12384 is a Jackson-databind polymorphic deserialization gadget flaw via Ehcache's transaction manager class, patched in 2.9.9.1.
CVE-2019-12814: Jackson-databind polymorphic type gadget ...
A look at CVE-2019-12814, a jackson-databind polymorphic typing gadget tied to JAXB classes, its risk profile, and how to remediate it in modern Java stacks.