Safeguard
Tag

vulnerability-management

Safeguard articles tagged "vulnerability-management" — guides, analysis, and best practices for software supply chain and application security.

635 articles

Vulnerability Analysis

CVE-2021-33503: ReDoS in urllib3 URL authority parsing

CVE-2021-33503 exposes urllib3 before 1.26.5 to a ReDoS in URL authority parsing, letting attacker URLs exhaust CPU. What to patch and why.

Oct 7, 20257 min read
Vulnerability Analysis

CVE-2020-26137: CRLF injection in urllib3 header handling

CVE-2020-26137 let attackers inject CRLF sequences into urllib3-built HTTP requests. Here's the impact, affected versions, and how to remediate it.

Oct 7, 20257 min read
Vulnerability Analysis

CVE-2019-1010083: Denial of service in Flask via large mu...

CVE-2019-1010083 let attackers crash Flask apps with crafted multipart requests. Here's the impact, affected versions, and how to remediate the DoS flaw.

Oct 3, 20257 min read
Vulnerability Analysis

CVE-2020-27783: Cross-site scripting bypass in lxml html ...

CVE-2020-27783 lets attackers bypass lxml's html.clean.Cleaner sanitizer to smuggle XSS past HTML cleaning. Here's what's affected and how to remediate it.

Oct 2, 20257 min read
Vulnerability Analysis

CVE-2020-11651: Authentication bypass in SaltStack salt-m...

CVE-2020-11651, a critical CVSS 9.8 authentication bypass in SaltStack's salt-master, enabled unauthenticated RCE and fueled real-world attacks on LineageOS, Ghost, and DigiCert.

Oct 1, 20258 min read
Vulnerability Analysis

CVE-2020-17530: Forced OGNL evaluation RCE in Apache Struts2

CVE-2020-17530 lets attackers achieve unauthenticated RCE in Apache Struts2 via forced OGNL evaluation. Here's the scope, timeline, and how to remediate it.

Sep 30, 20257 min read
Vulnerability Analysis

CVE-2015-6420: Deserialization vulnerability via Apache C...

How a vulnerable Apache Commons Collections library let attackers achieve remote code execution via Java deserialization gadget chains, and what CVE-2015-6420 still teaches about supply chain risk.

Sep 30, 20258 min read
Vulnerability Analysis

CVE-2019-14379: Jackson-databind deserialization via jdk....

CVE-2019-14379 lets attackers abuse jackson-databind's polymorphic deserialization via a JDK Nashorn gadget class. Here's the risk, fix, and detection guidance.

Sep 29, 20257 min read
AppSec

SAST, DAST, and SCA: The Three Scanner Types You Actually Need

Each scanner type answers a different question about your application. Here's what SAST, DAST, and SCA each catch, and why running just one leaves gaps.

Sep 23, 20255 min read
Vulnerability Analysis

CVE-2018-1199: Authorization bypass in Spring Security CO...

CVE-2018-1199 let CORS pre-flight requests slip past Spring Security's authorization checks. What it affected, its real severity, and how to remediate it.

Sep 21, 20257 min read
Vulnerability Analysis

CVE-2019-0981: .NET Core remote code execution (second va...

CVE-2019-0981, the second variant of the April 2019 .NET Core RCE pair, let attackers run arbitrary code via a malicious file. Here's what to patch and why.

Sep 20, 20257 min read
Vulnerability Analysis

CVE-2020-0602: Denial of service in ASP.NET Core

A denial of service flaw in ASP.NET Core 3.0/3.1, patched January 2020. Unauthenticated, network-exploitable, high-severity impact on availability.

Sep 19, 20258 min read
vulnerability-management (Page 40) — Safeguard Blog