Safeguard
Tag

vulnerability-analysis

Safeguard articles tagged "vulnerability-analysis" — guides, analysis, and best practices for software supply chain and application security.

360 articles

Vulnerability Analysis

CVE-2019-16335: Jackson-databind gadget via jackson-dataf...

CVE-2019-16335 is a jackson-databind polymorphic deserialization flaw tied to jackson-dataformat-cbor, fixed in 2.9.10. Here's the impact, timeline, and fix.

Sep 29, 20257 min read
Vulnerability Analysis

CVE-2020-1938 (Ghostcat): File inclusion via Apache Tomca...

Ghostcat (CVE-2020-1938) let attackers read files—and often achieve RCE—via Tomcat's default, unauthenticated AJP connector. Here's the risk, fix, and KEV context.

Sep 24, 20257 min read
Vulnerability Analysis

CVE-2021-33037: HTTP request smuggling in Apache Tomcat

CVE-2021-33037 let malformed HTTP trailers desync Apache Tomcat from front-end proxies, enabling request smuggling. Here's what's affected and how to remediate.

Sep 24, 20257 min read
Vulnerability Analysis

CVE-2019-0232: Remote code execution in Apache Tomcat CGI...

CVE-2019-0232 lets attackers execute arbitrary commands on Windows-hosted Apache Tomcat via the CGI Servlet. Here's the CVSS 9.8 detail, affected versions, and fixes.

Sep 24, 20258 min read
Vulnerability Analysis

CVE-2020-9484: Deserialization RCE via Apache Tomcat Pers...

A deep dive into CVE-2020-9484, the Apache Tomcat PersistenceManager deserialization RCE — affected versions, CVSS/EPSS context, and remediation steps.

Sep 23, 20257 min read
Vulnerability Analysis

CVE-2021-25122: Request mix-up via Apache Tomcat h2c support

CVE-2021-25122 let Apache Tomcat mix up HTTP responses between concurrent users via the h2c upgrade path. Here's the impact, affected versions, and how to remediate.

Sep 23, 20256 min read
Vulnerability Analysis

CVE-2021-25329: Incomplete fix of Tomcat PersistenceManag...

CVE-2021-25329 shows how Tomcat's PersistenceManager deserialization fix (CVE-2020-9484) was incomplete, still risking RCE in edge-case configs.

Sep 23, 20258 min read
Vulnerability Analysis

CVE-2016-1000027: Remote code execution via Spring HttpIn...

A decade-old flaw in Spring's HttpInvokerServiceExporter enables unauthenticated RCE via Java deserialization. Severity, timeline, and remediation for CVE-2016-1000027.

Sep 22, 20257 min read
Vulnerability Analysis

CVE-2018-1270: Remote code execution in Spring Messaging ...

CVE-2018-1270 is a critical, unauthenticated RCE in Spring Messaging's STOMP-over-WebSocket support. Here's what's affected, how severe it is, and how to remediate it.

Sep 22, 20257 min read
Vulnerability Analysis

CVE-2018-1271: Path traversal in Spring MVC static resour...

A path traversal flaw in Spring MVC's static resource handling let attackers on Windows deployments escape the web root and read arbitrary files.

Sep 22, 20257 min read
Vulnerability Analysis

CVE-2020-5398: Content-type bypass in Spring Framework

CVE-2020-5398 lets attackers bypass Spring Framework RFD protections via Content-Disposition, tricking browsers into downloading malicious files.

Sep 21, 20257 min read
Vulnerability Analysis

CVE-2016-4977: Remote code execution in Spring Security O...

CVE-2016-4977 let attackers achieve remote code execution against Spring Security OAuth's whitelabel views via SpEL injection. Here's what shipped, why, and how to fix it.

Sep 21, 20258 min read
vulnerability-analysis (Page 29) — Safeguard Blog