Collaborate Disseminate
I’m working on implementing a protection for a WordPress pie register plugin vulnerability being called:
WordPress pie register 3.7.1.4 auth bypass / RCE
I’ve conducted a research on the pie register source code (it’s an open-source plugi… Continue reading Implementing a protection for pie register vulnerability
After the log4j vulnerability was announced, I scanned my Mac to see if any applications were using it.
find / -name "*log4j*" 2>/dev/null
Here’s the output that indicates that Xcode has log4j bundled in:
./System/Volumes/Dat… Continue reading Is Xcode vulnerable due to log4j?
We’ve grown accustomed to it by now — a few million accounts broken into here, another hundred million there. After a company data breach, what happens to all the data? Where does it go? And how does this impact your vulnerability analysis? In June 2020, stolen Facebook user data suddenly popped up for sale on […]
The post What Happens to Information After a Data Breach? appeared first on Security Intelligence.
Continue reading What Happens to Information After a Data Breach?
I recently found that the latest release of a major Linux distribution (MX Linux) uses DSA-1024 in /etc/apt/trusted.gpg and in /etc/apt/trusted.gpg.d/*.gpg
It also probably uses SHA-1 as the signature algorithm (which is the most common on… Continue reading Is DSA-1024 safe to sign package repositories ? What are the reasons?
How can you tell when software is behaving strangely if you don’t know what the right behavior is? That’s an important question when it comes to threat actors. After all, attackers often hijack honest software, networks and systems for dishonest ends. To stop them with security tools, the first step must be to have great […]
The post Behavior Transparency: Where Application Security Meets Cyber Awareness appeared first on Security Intelligence.
Continue reading Behavior Transparency: Where Application Security Meets Cyber Awareness
Spending on cybersecurity is hitting record highs. And that makes sense. Because of big changes in how work gets done (plus the rising cost of breaches and attacks, like ransomware), companies are spending more than ever. But simply throwing money at the problem in order to try to become more cyber resilient is not a […]
The post Spend Wisely (Not Just More) to Become Cyber Resilient appeared first on Security Intelligence.
Continue reading Spend Wisely (Not Just More) to Become Cyber Resilient
How would one go about fixing vulnerabilities in indirect 3rd party libraries? Let’s say that the vulnerability is introduced via the following chain:
Introduced through:
example-app› express-prometheus-middleware@0.9.6 › prometheus-gc-sta… Continue reading Handling indirect vulnerable 3rd party dependencies
With bc-fips-1.0.1 there are below security vulnerabilities
CVE-2018-1000180
CVE-2020-26939
What are the impacts of those two CVE? Are this risks are very critical?
Both are fixed in bc-fips-1.0.2 but this version is degrading performanc… Continue reading bc-fips-1.0.1 security vulnerability, CVE-2018-1000180 and CVE-2020-26939 [closed]
I’m trying to build a base image that pulls from php:7.3-fpm, which is built on debian:buster-slim. The php:7.3-fpm base image has vulnerabilities out of the box, like https://security-tracker.debian.org/tracker/CVE-2019-3844 and https://s… Continue reading Remediating base image vulnerabilities
I keep hearing about the XML round trip vulnerability in version 3.2.4 of the Ruby package REXML. I looked into it myself, of course, and it seems to have something to do with parsing an XML document, then putting it back into XML again, a… Continue reading What is an XML round trip vulnerability?