vulnerability-analysis
Safeguard articles tagged "vulnerability-analysis" — guides, analysis, and best practices for software supply chain and application security.
360 articles
CVE-2019-16335: Jackson-databind gadget via jackson-dataf...
CVE-2019-16335 is a jackson-databind polymorphic deserialization flaw tied to jackson-dataformat-cbor, fixed in 2.9.10. Here's the impact, timeline, and fix.
CVE-2020-1938 (Ghostcat): File inclusion via Apache Tomca...
Ghostcat (CVE-2020-1938) let attackers read files—and often achieve RCE—via Tomcat's default, unauthenticated AJP connector. Here's the risk, fix, and KEV context.
CVE-2021-33037: HTTP request smuggling in Apache Tomcat
CVE-2021-33037 let malformed HTTP trailers desync Apache Tomcat from front-end proxies, enabling request smuggling. Here's what's affected and how to remediate.
CVE-2019-0232: Remote code execution in Apache Tomcat CGI...
CVE-2019-0232 lets attackers execute arbitrary commands on Windows-hosted Apache Tomcat via the CGI Servlet. Here's the CVSS 9.8 detail, affected versions, and fixes.
CVE-2020-9484: Deserialization RCE via Apache Tomcat Pers...
A deep dive into CVE-2020-9484, the Apache Tomcat PersistenceManager deserialization RCE — affected versions, CVSS/EPSS context, and remediation steps.
CVE-2021-25122: Request mix-up via Apache Tomcat h2c support
CVE-2021-25122 let Apache Tomcat mix up HTTP responses between concurrent users via the h2c upgrade path. Here's the impact, affected versions, and how to remediate.
CVE-2021-25329: Incomplete fix of Tomcat PersistenceManag...
CVE-2021-25329 shows how Tomcat's PersistenceManager deserialization fix (CVE-2020-9484) was incomplete, still risking RCE in edge-case configs.
CVE-2016-1000027: Remote code execution via Spring HttpIn...
A decade-old flaw in Spring's HttpInvokerServiceExporter enables unauthenticated RCE via Java deserialization. Severity, timeline, and remediation for CVE-2016-1000027.
CVE-2018-1270: Remote code execution in Spring Messaging ...
CVE-2018-1270 is a critical, unauthenticated RCE in Spring Messaging's STOMP-over-WebSocket support. Here's what's affected, how severe it is, and how to remediate it.
CVE-2018-1271: Path traversal in Spring MVC static resour...
A path traversal flaw in Spring MVC's static resource handling let attackers on Windows deployments escape the web root and read arbitrary files.
CVE-2020-5398: Content-type bypass in Spring Framework
CVE-2020-5398 lets attackers bypass Spring Framework RFD protections via Content-Disposition, tricking browsers into downloading malicious files.
CVE-2016-4977: Remote code execution in Spring Security O...
CVE-2016-4977 let attackers achieve remote code execution against Spring Security OAuth's whitelabel views via SpEL injection. Here's what shipped, why, and how to fix it.