%term

dompdf security alert: RCE vulnerability found in popular PHP PDF library

Mar 18, 2022 By DeveloperSteve In Snyk

Recently, researchers from Positive Security published findings identifying a major remote code execution (RCE) vulnerability in dompdf, a popular PDF generation library. In their reporting, they outlined a way that code could be loaded into an application and then remotely executed during a PDF being generated. Dompdf is used quite extensively within the PHP ecosystem, and is used within over 59,000 open sourced platforms and projects.

Read Post

Snyk

Read more about dompdf security alert: RCE vulnerability found in popular PHP PDF library

What to Expect from a Vulnerability Assessment Service | Cyphere

Mar 18, 2022 By Cyphere In Cyphere

A vulnerability assessment is an important step in securing your business. By identifying and addressing potential security vulnerabilities, you can help protect your company's data and reputation. In this video, we discuss what to expect from a vulnerability assessment service.#vulnerabilityassessment #securingbusiness

View Video

Cyphere

Read more about What to Expect from a Vulnerability Assessment Service | Cyphere

Linux 'Dirty Pipe' vulnerability: Snyk explains the risk and what you can do to protect your systems

Mar 17, 2022 By Snyk In Snyk

Last week, a critical vulnerability was discovered in Linux. Developer-first security company, Snyk, warns Linux users of the flaw in the Linux kernel that can be exploited by attackers allowing any process to modify files regardless of their permission settings or ownership.

Read Post

Snyk

Read more about Linux 'Dirty Pipe' vulnerability: Snyk explains the risk and what you can do to protect your systems

Opensource from hell: malicious JavaScript distributed via opensource libraries, again

Mar 17, 2022 By Martin Jartelius In Outpost 24

It’s open source, anyone can audit it, but is it safe? In this blog our CSO explores why distribution of malicious scripts via libraries is causing a stir amongst the open-source community and how you can defend against it.

Read Post

Outpost 24

Read more about Opensource from hell: malicious JavaScript distributed via opensource libraries, again

Mitigating CVE-2022-0811: Arbitrary code execution affecting CRI-O

Mar 17, 2022 By Stefano Chierici In Sysdig

A new vulnerability CVE-2022-0811, alias cr8escape, with CVSS 8.8 (HIGH) has been found in the CRI-O container engine by Crowdstrike. This vulnerability can lead to arbitrary code execution. The container engines affected are: Any containerized infrastructure that relies on these vulnerable container engines is affected as well, including Kubernetes and OpenShift (version 4.6 to 4.10).

Read Post

Sysdig

Read more about Mitigating CVE-2022-0811: Arbitrary code execution affecting CRI-O

Python RCE vulnerability in Celery

Mar 17, 2022 By Snyk In Snyk

Learn about a new Python RCE vulnerability in Celery! We will dive in to the defective code as well as the fix! Snyk helps software-driven businesses develop fast and stay secure. Continuously find and fix vulnerabilities for npm, Maven, NuGet, RubyGems, PyPI and more.

View Video

Snyk

Read more about Python RCE vulnerability in Celery

10 tips for keeping your Docker containers safe from Log4Shell

Mar 17, 2022 By Marco Morales In Snyk

Today we’re pleased to announce an update to our popular Docker and Snyk vulnerability cheat sheet. Since 2020, millions of MacOS and Windows developers have been able to use docker scan to analyze their containers in their local environments as part of their day-to-day development. This capability gives teams feedback at the time of active development for faster cycles.

Read Post

Snyk

Read more about 10 tips for keeping your Docker containers safe from Log4Shell

Diving into CVE-2022-23943 - a new Apache memory corruption vulnerability

Mar 17, 2022 By Brian Moussalli In JFrog

A few days ago it was reported that the new Apache version 2.4.53 contains fixes for several bugs which exposed the users of the well known HTTP server to attacks: CVE-2022-22719 relates to a bug in the mod_lua modules which may lead to Denial of Service after reading from a random memory Area, CVE-2022-22720 exposes the server to HTTP Smuggling attacks, CVE-2022-22721 exposes the server to a buffer overflow when handling large XML input, and CVE-2022-23943 is a vulnerability in the mod_sed module, whi

Read Post

JFrog

Read more about Diving into CVE-2022-23943 - a new Apache memory corruption vulnerability

Most Common Authorization Vulnerabilities

Mar 16, 2022 By Sakshyam Shah In Teleport

Authorization vulnerabilities allow malicious users to perform unwanted actions or access resources that are deemed protected otherwise. Authorization vulnerabilities are one of the most widely found vulnerabilities in web applications. The OWASP top 10 list of web application security risks listed broken access control vulnerabilities as the number one risk in 2021, so understanding authorization vulnerabilities is an important topic for application security engineers.

Read Post

Teleport

Read more about Most Common Authorization Vulnerabilities

Alert: peacenotwar module sabotages npm developers in the node-ipc package to protest the invasion of Ukraine

Mar 16, 2022 By Liran Tal In Snyk

On March 15, 2022, users of the popular Vue.js frontend JavaScript framework started experiencing what can only be described as a supply chain attack impacting the npm ecosystem. This was the result of the nested dependencies node-ipc and peacenotwar being sabotaged as an act of protest by the maintainer of the node-ipc package.

Read Post