Operations | Monitoring | ITSM | DevOps | Cloud

Vulnerability

jfrog

CVE-2020-27304 - RCE via Directory Traversal in CivetWeb HTTP server

Oct 19, 2021 By Denys Vozniuk and Shachar Menashe In JFrog
JFrog has recently disclosed a directory traversal issue in CivetWeb, a very popular embeddable web server/library that can either be used as a standalone web server or included as a library to add web server functionality to an existing application. The issue has been assigned to CVE-2020-27304.
Read Post
puppet

How to mitigate the 0-day Apache path traversal vulnerability with Puppet or Bolt

Oct 5, 2021 By Ben Ford In Puppet

Apache has disclosed a critical actively exploited path traversal flaw in the popular Apache web server, version 2.4.49. This path traversal means that an attacker can trivially read the contents of any file on the server that the Apache process has access to. This could expose highly sensitive information, even as critical as the server's own private SSL certificates. See the Sonatype blog for more technical information on the vulnerability.

Read Post
jfrog

23andMe's Yamale Python code injection, and properly sanitizing eval()

Oct 5, 2021 By Andrey Polkovneychenko and Shachar Menashe In JFrog
JFrog security research team (formerly Vdoo) has recently disclosed a code injection issue in Yamale, a popular schema validator for YAML that’s used by over 200 repositories. The issue has been assigned to CVE-2021-38305.
Read Post
jfrog

The Vulnerability Conundrum: Improving the Disclosure Process

Oct 4, 2021 By Asaf Karas In JFrog
The vulnerability disclosure process involves reporting security flaws in software or hardware, and can be complex. Cooperation between the organization responsible for the software or hardware, and the security researcher who discovers the vulnerability can be complicated. In this blog we’ll look at the vulnerability disclosure process, the parties involved and how they can collaborate productively.
Read Post
jfrog

Head-to-Head: Penetration Testing vs. Vulnerability Scanning

Sep 21, 2021 By Asaf Cohen In JFrog
To release reasonably secure products, vendors must integrate software security processes throughout all stages of the software development lifecycle. That would include product architecture and design; implementation and verification; deployment and monitoring in the field; and back again to design to address the changing threat landscape, market needs, and product issues.
Read Post
N-able

How to better prioritize vulnerability remediation through automated penetration testing

Sep 15, 2021 By Guest In N-able

As most MSPs know, small- and medium-sized businesses are the most likely targets for cyberattacks. They lack many of the resources and infrastructure of their larger counterparts and a single cyberattack can be devastating. Analyzing and remediating vulnerabilities is an essential part of any security program. But current vulnerability management processes spit out long lists of instances that may or may not need remediation.

Read Post
jfrog

Critical Vulnerability in HAProxy (CVE-2021-40346): Integer Overflow Enables HTTP Smuggling

Sep 7, 2021 By Ori Hollander and Or Peles In JFrog
JFrog Security research teams are constantly looking for new and previously unknown vulnerabilities in popular open-source projects to help improve their security posture. As part of this effort, we recently discovered a potentially critical vulnerability in HAProxy, a widely used open-source load balancer proxy server that is particularly suited for very high traffic web sites and used by many leading companies.
Read Post

Risk Mitigation Strategies for Tcp/IP Vulnerabilities in OT

Sep 4, 2021 By JFrog In JFrog
JFrog in collaboration with Forescout Research Labs recently released the fourth study from Project Memoria - the industry’s most comprehensive study of TCP/IP vulnerabilities. INFRA:HALT covers 14 vulnerabilities affecting the popular closed source TCP/IP stack NicheStack. These vulnerabilities can cause Denial of Service or Remote Code Execution, allowing attackers to take targeted OT and ICS devices offline or take control of them.
View Video
jfrog

Scanning Dependencies in your sources using JFrog CLI and Xray

Aug 26, 2021 By Robi Nino In JFrog
Security vulnerabilities and license violations should be found as early as possible and the earlier in the SDLC , the better. As part of the “ Shift Left ” vision, JFrog CLI and Xray now allow scanning dependencies directly from sources , on-demand, using a simple command line. This functionality allows benefiting from the same JFrog Xray vulnerability and license scanning capabilities, even before deployment to JFrog Artifactory.
Read Post
haproxy

August/2021 - HAProxy 2.0+ HTTP/2 Vulnerabilities Fixed

Aug 16, 2021 By Daniel Corbett In HAProxy

If you are using HAProxy 2.0 or newer, it is important that you update to the latest version. A vulnerability was found that makes it possible to abuse the HTTP/2 parser, allowing an attacker to prepend hostnames to a request, append top-level domains to an existing domain, and inject invalid characters through the :method pseudo-header.

Read Post
Subscribe to Vulnerability

Copyright © 2024 OpsMatters™. All rights reserved.