Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

Latest News

Lessons learned from the Argo CD zero-day vulnerability (CVE-2022-24348)

On January 30, 2022, , the Argo CD team was contacted by researchers at Apiiro regarding a vulnerability they had discovered in the popular continuous delivery platform that could allow bad actors to steal sensitive information from deployments. The Argo CD team was able to quickly develop fixes for all three of their currently supported releases and publish them to their users within 48 hours.

Log4Shell Peace of Mind in Minutes, Not Weeks

Discovered on December 9, 2021, the log4Shell vulnerability is one of the most talked-about vulnerabilities in computing. Because simple text can be used to take control of a device and download anything that is Internet-accessible, companies are taking it seriously. As they should – log4Shell has the maximum CVSS score of 10 (CVSS, Common Vulnerability Scoring System, is an industry-standard for ranking vulnerabilities).

From Stored XSS to Code Execution using SocEng, BeEF and elFinder CVE-2021-45919

A stored cross-site scripting vulnerability, tracked as CVE-2021-45919, was identified in elFinder File Manager. The vulnerability can result in the theft of user credentials, tokens, and the ability to execute malicious JavaScript in the user's browser. Any organization utilizing an out-of-date elFinder component on its web application could be affected.

CVE-2021-44142: Critical Samba Vulnerability Allows Remote Code Execution

Recently, a critical out-of-bounds vulnerability, assigned to CVE-2021-44142, was disclosed in Samba versions prior to 4.13.17. The Samba vulnerability carries a critical CVSS of 9.9 and allows attackers to remotely execute code on machines running a Samba server with a vulnerable configuration. The vulnerability was disclosed as part of the Pwn2Own Austin competition where researchers are challenged to exploit widely-used software and devices with unknown vulnerabilities.

How to Protect the Software Supply Chain from Vulnerable Third-Party Code

What happens when the software, scripts and code snippets that your business uses on your website and network have been compromised at the source? The compromise could be unintentional—perhaps the coders simply made a mistake. Or the compromise could be intentional—maybe hackers wrote a malicious script and promoted it as legitimate on a third-party library source to encourage users to download and install.

CVE 2022-24348 - Argo CD High Severity Vulnerability and its impact on Kubernetes

Researcher Moshe Zioni from Apiiro, discovered a major software supply chain critical vulnerability - CVE-2022-24348 - in the popular open-source CD platform Argo CD. Exploiting it enables attackers to obtain sensitive information like credentials, secrets, API keys from other applications. This in turn can lead to privilege escalation, lateral movements, and information disclosure.

How to Protect Cloud Workloads from Zero-day Vulnerabilities

Protecting cloud workloads from zero-day vulnerabilities like Log4Shell is a challenge that every organization faces. When a vulnerability is published, organizations can try to identify impacted artifacts through software composition analysis, but even if they’re able to identify all impacted areas, the patching process can be cumbersome and time-consuming. As we saw with Log4Shell, this can become even more complicated when the vulnerability is nearly ubiquitous.

Log4Shell remediation with Snyk by the numbers

We’re almost two months from the disclosure of Log4Shell, and we here at Snyk couldn’t be more excited with the role we’ve gotten to play in finding and fixing this critical vulnerability that’s impacted so many Java shops. For starters, we’ve been able to help our customers remediate Log4Shell 100x faster than the industry average! How have we been able to achieve that?

ServiceNow - Username Enumeration Vulnerability (CVE-2021-45901)

During a recent engagement Trustwave SpiderLabs discovered a vulnerability (CVE-2021-45901) within ServiceNow (Orlando) which allows for a successful username enumeration by using a wordlist. By using an unauthenticated session and navigating to the password reset form, it is possible to infer a valid username. This is achieved through examination of the HTTP POST response data initially triggered by the password reset web form. This response differs depending on a username's existence.

Fun with ciphers in copycat Wordles

Here at Snyk, we spend a lot of time researching vulnerabilities. We do that because there are a lot of other folks out there researching new ways to break into apps and systems. We’re often putting on our “grey hats” to think like a malicious hacker. I regularly view-source, look at network traffic and eyeball query strings. One such delicious little query string caught my attention this week on one of the many copycat Wordle sites.