On December 13, 2023, threat actors began exploitation attempts against CVE-2023-50164, a critical-severity remote code execution (RCE) vulnerability impacting Apache Struts, an open-source framework used to create Java Web applications. Based on current intelligence, the threat actors are leveraging a publicly published proof of concept (PoC) exploit.

We’re proud that Snyk has been honored with inclusion on the inaugural Fortune Cyber 60 list as a top growth-stage company. The full list was unveiled late last week. In 2023, our industry encountered distinctive challenges, but the entire Snyk community demonstrated resilience and a steadfast commitment to our founding mission: empowering and equipping DevSecOps teams worldwide to build securely.

On November 16, 2023, Google’s Threat Analysis Group revealed an alarming vulnerability in Zimbra Collaboration—a reflected cross-site scripting (XSS) vulnerability assigned CVE-2023-37580. The Zimbra Collaboration Suite (ZCS) is a software platform that combines email, calendar, contacts, file sharing, and other collaboration tools into a single integrated package. The CVE-2023-37580 allows an attacker to inject a malicious script directly into the URL parameter.

In modern web development, JSON Web Tokens (JWTs) have become a popular method of securely transmitting information between parties. JWTs are used for authentication and authorization and are often used to store user information. However, with the increasing use of JWTs come potential security risks that developers need to be aware of. As a developer, you are responsible for ensuring that your application is secure and user data is protected.

By Vadim Freger, Dolev Moshe Attiya On December 7th, 2023, the Apache Struts project disclosed a critical vulnerability (CVSS score 9.8) in its Struts 2 open-source web framework. The vulnerability resides in the flawed file upload logic and allows attackers to manipulate upload parameters, resulting in arbitrary file upload and code execution under certain conditions. There is no known workaround, and the only solution is to upgrade to the latest versions, the affected versions being.

Apache has released an advisory for a critical vulnerability discovered in Struts versions 2.0.0-2.3.37(EOL), 6.0.0-6.3.0.1 and 2.0.0-2.5.32. This vulnerability is being tracked as CVE-2023-50164 with a CVSS score of 9.8 (Critical) and is reportedly being actively exploited. Impacted versions are affected by a file upload and directory traversal vulnerability that can lead to remote code execution.

With over 50,000 in attendance, AWS re:Invent 2023 had generative AI taking center stage at keynotes, race cars, and robots wowing at the Expo. Once again, Snyk showed up in a big way. Some of our highlights included being awarded the AWS ISV Partner of the Year in EMEA and UKI, achieving AWS Security Competency, and several new integrations with AWS services. Best of all, we got to meet all of you!

Each day there are more and more cyber attacks and threats occurring, with those looking to exploit your IT systems finding various different methods to infiltrate your IT infrastructure. This means it's more vital than ever that you limit the vulnerabilities of your IT infrastructure and guarantee its security. In regards to this, a viable solution available to you is vulnerability assessment.

On December 13th, The U.S. Federal Bureau of Investigation (FBI), U.S. Cybersecurity & Infrastructure Security Agency (CISA), U.S. National Security Agency (NSA), Polish Military Counterintelligence Service (SKW), CERT Polska (CERT.PL), and the UK’s National Cyber Security Centre (NCSC) have issued an urgent advisory about the ongoing exploit of CVE-2023-42793 by Russian Foreign Intelligence Service (SVR) threat actors.

Proprietary severity scoring often burdens AppSec teams. With every new vendor, you must evaluate their custom severity framework and work to translate assessed risk between tools. To eliminate this burden and provide our customers with a clear security assessment for configurations across the SDLC, Snyk will be moving towards standardizing our code to cloud security rules set on the Common Configuration Scoring System (CCSS)!