In modern web development, JSON Web Tokens (JWTs) have become a popular method of securely transmitting information between parties. JWTs are used for authentication and authorization and are often used to store user information. However, with the increasing use of JWTs come potential security risks that developers need to be aware of. As a developer, you are responsible for ensuring that your application is secure and user data is protected.
By Vadim Freger, Dolev Moshe Attiya On December 7th, 2023, the Apache Struts project disclosed a critical vulnerability (CVSS score 9.8) in its Struts 2 open-source web framework. The vulnerability resides in the flawed file upload logic and allows attackers to manipulate upload parameters, resulting in arbitrary file upload and code execution under certain conditions. There is no known workaround, and the only solution is to upgrade to the latest versions, the affected versions being.
Apache has released an advisory for a critical vulnerability discovered in Struts versions 2.0.0-2.3.37(EOL), 6.0.0-6.3.0.1 and 2.0.0-2.5.32. This vulnerability is being tracked as CVE-2023-50164 with a CVSS score of 9.8 (Critical) and is reportedly being actively exploited. Impacted versions are affected by a file upload and directory traversal vulnerability that can lead to remote code execution.
With over 50,000 in attendance, AWS re:Invent 2023 had generative AI taking center stage at keynotes, race cars, and robots wowing at the Expo. Once again, Snyk showed up in a big way. Some of our highlights included being awarded the AWS ISV Partner of the Year in EMEA and UKI, achieving AWS Security Competency, and several new integrations with AWS services. Best of all, we got to meet all of you!
Each day there are more and more cyber attacks and threats occurring, with those looking to exploit your IT systems finding various different methods to infiltrate your IT infrastructure. This means it's more vital than ever that you limit the vulnerabilities of your IT infrastructure and guarantee its security. In regards to this, a viable solution available to you is vulnerability assessment.
On December 13th, The U.S. Federal Bureau of Investigation (FBI), U.S. Cybersecurity & Infrastructure Security Agency (CISA), U.S. National Security Agency (NSA), Polish Military Counterintelligence Service (SKW), CERT Polska (CERT.PL), and the UK’s National Cyber Security Centre (NCSC) have issued an urgent advisory about the ongoing exploit of CVE-2023-42793 by Russian Foreign Intelligence Service (SVR) threat actors.
Proprietary severity scoring often burdens AppSec teams. With every new vendor, you must evaluate their custom severity framework and work to translate assessed risk between tools. To eliminate this burden and provide our customers with a clear security assessment for configurations across the SDLC, Snyk will be moving towards standardizing our code to cloud security rules set on the Common Configuration Scoring System (CCSS)!
We are thrilled to announce the introduction of our new vulnerabilities page on assessments. This innovative update allows you to view the overall status and remediation progress of all your assets for a single assessment in one comprehensive view. We've listened to your feedback, and we believe these enhancements will bring a more streamlined and efficient approach to your vulnerability management.
The pace of software development is astounding! The transition to agile, DevOps, cloud, and the supercharged use of AI is empowering distributed development teams to build software with greater speed and autonomy. In contrast to the remarkable strides in development methodologies, maintaining a robust security posture has become a formidable challenge. AppSec teams are still playing catchup, both outnumbered and out-resourced.
