Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

Snyk

Snyk

Buildkit build-time container teardown arbitrary delete (CVE-2024-23652)

Jan 31, 2024 By Rory McNamara In Snyk
Snyk has discovered a vulnerability in all versions of Docker Buildkit <=v0.12.4, as used by the Docker engine. Exploitation of this issue can result in arbitrary file and directory deletion in the underlying host OS when building an image using a malicious Dockerfile or upstream image (i.e, when using FROM). This issue has been assigned CVE-2024-23652.
Read Post
Snyk

Buildkit mount cache race: Build-time race condition container breakout (CVE-2024-23651)

Jan 31, 2024 By Rory McNamara In Snyk
Snyk has discovered a vulnerability in all versions of Docker Buildkit <=v0.12.4, as used by the Docker engine. The exploitation of this issue can result in container escape to the underlying host OS when building an image using a malicious Dockerfile or upstream image (i.e. when using FROM). This issue has been assigned CVE-2024-23651.
Read Post
Snyk

Vulnerability: runc process.cwd and leaked fds container breakout (CVE-2024-21626)

Jan 31, 2024 By Rory McNamara In Snyk
Snyk has discovered a vulnerability in all versions of runc <=1.1.11, as used by the Docker engine, along with other containerization technologies such as Kubernetes. Exploitation of this issue can result in container escape to the underlying host OS, either through executing a malicious image or building an image using a malicious Dockerfile or upstream image (i.e., when using FROM). This issue has been assigned the CVE-2024-21626.
Read Post
Snyk

Leaky Vessels: Docker and runc container breakout vulnerabilities (January 2024)

Jan 31, 2024 By Jamie Smith In Snyk
Snyk security researcher Rory McNamara, with the Snyk Security Labs team, identified four vulnerabilities — dubbed "Leaky Vessels" — in core container infrastructure components that allow container escapes. An attacker could use these container escapes to gain unauthorized access to the underlying host operating system from within the container.
Read Post
Snyk

7 tips to become a successful bug bounty hunter

Jan 25, 2024 By Ben Sadeghipour In Snyk
Bug bounty hunting is a process where security researchers or hackers actively search for and identify security vulnerabilities or "bugs" in web applications, IoT devices, mobile applications, or even smart contracts. These vulnerabilities can range from relatively simple issues like cross-site scripting (XSS) or SQL injection to more complex and critical weaknesses that could potentially compromise the security and privacy of users' data.
Read Post
Snyk

How a 0-day event galvanized a developer-led security mindset at DISH

Jan 24, 2024 By Brian Piper In Snyk
When a security incident happens, it’s one thing to reactively fix the issue, sweep it under the rug, and move on. It’s a whole other to respond to the situation with a proactive, forward-facing response — not only solving the existing issues but preparing the entire organization for the future. DISH Network did just that, responding to a significant security incident with new, shift-left initiatives that made their security and development teams stronger than ever.
Read Post
Snyk

3 tips from Snyk and Dynatrace's AI security experts

Jan 22, 2024 By Sarah Conway In Snyk
McKinsey is calling 2023 “generative AI’s breakout year.” In one of their recent surveys, a third of respondents reported their organizations use GenAI regularly in at least one business function. But as advancements in AI continue to reshape the tech landscape, many CCISOs are left grappling with this question: How does AI impact software development cycles and the overall security of business applications?
Read Post

How Jaguar Land Rover and Asda are Building a Modern DevSecOps Culture

Jan 19, 2024 By Snyk In Snyk
Organizations at different stages of growth or maturity will have different challenges when adopting a modern DevSecOps program. In this session we talked with Mike Welsh, Lead Enterprise Security Architect DevSecOps, at JLR, and Ruta Baltiejute, DevSecOps Lead at Asda, about their differing approach to implementing a secure development model at their organizations. We discussed the significant differences between how they’re building software today, including their approach to change in People, Process and Tooling.
View Video
Snyk

Understanding and mitigating the Jinja2 XSS vulnerability (CVE-2024-22195)

Jan 18, 2024 By Calum Hutton In Snyk

On January 11th, 2024, a significant security vulnerability was disclosed in Jinja2, a widely used Python templating library. Identified as CVE-2024-22195, this cross-site scripting (XSS) vulnerability has raised concerns due to its impact on numerous projects. Jinja2 boasts over 33 million weekly downloads, nearly 10,000 GitHub stars, and over 90,000 dependent projects. The vulnerability affects all versions prior to 3.1.3, with the patched version 3.1.3 being the only safe option.

Read Post

Copyright © 2024 OpsMatters™. All rights reserved.