%term

Resolving CVE-2022-1471 with the SnakeYAML 2.0 Release

Mar 3, 2023 By Nova In Veracode

In October of 2022, a critical flaw was found in the SnakeYAML package, which allowed an attacker to benefit from remote code execution by sending malicious YAML content and this content being deserialized by the constructor. Finally, in February 2023, the SnakeYAML 2.0 release was pushed that resolves this flaw, also referred to as CVE-2022-1471. Let’s break down how this version can help you resolve this critical flaw.

Read Post

Veracode

Read more about Resolving CVE-2022-1471 with the SnakeYAML 2.0 Release

This Week in VulnDB - The Big Fix Edition

Mar 3, 2023 By Snyk In Snyk

Welcome to This Week in VulnDB, Each episode we will look through some of the newer vulnerabilities in the Snyk vulnerability database, looking at emerging trends in attack vectors appearing in programming languages, platforms and ecosystems.

View Video

Snyk

Read more about This Week in VulnDB - The Big Fix Edition

Critical RCE Vulnerability in Multiple Cisco IP Phones: CVE-2023-20078

Mar 3, 2023 By James Liolios In Arctic Wolf

On Wednesday, March 1, 2023, Cisco published an advisory of a critical severity vulnerability impacting 6800, 7800, and 8800 series IP phones. The vulnerability allows for unauthenticated execution of arbitrary code. The vulnerability was responsibly disclosed to Cisco by a security researcher, and security patches are available to remediate the vulnerability.

Read Post

Arctic Wolf

Read more about Critical RCE Vulnerability in Multiple Cisco IP Phones: CVE-2023-20078

OWASP Top 10 - Breakdown

Mar 2, 2023 By Lewis Fairburn In Pentest People

This blog is a breakdown of the OWASP Top 10 application security risks. The Top 10, developed by OWASP (Open Web Application Security Project), provides an up-to-date list of the most critical web application security risks that websites and applications must address.

Read Post

Pentest People

Read more about OWASP Top 10 - Breakdown

Snyk in 30: Developer-first security democast

Mar 2, 2023 By Jim Armstrong In Snyk

In our latest Snyk in 30 democast, I demonstrated working on an app, starting in an IDE and going all the way to the live app deployed in the cloud. Along the way, I showed how Snyk fits into the tools a real developer might use. Specifically, I focused on the practical aspects of implementing Snyk in a real-world development and cloud environment, answering questions like: I’ll cover some of the main highlights from the presentation in this blog post.

Read Post

Snyk

Read more about Snyk in 30: Developer-first security democast

OAuth security gaps at Booking.com (now remediated)

Mar 2, 2023 By Salt Security In Salt Security

This short video explains how Salt Labs researchers identified several critical security flaws on the popular travel site Booking.com. The flaws were found in the site's authentication functionality and could have allowed a malicious attacker to take over user accounts, access profile information, and take actions on behalf of the user such as booking or canceling reservations and ordering transportation services.

View Video

Salt Security

Read more about OAuth security gaps at Booking.com (now remediated)

Three expert tips for cultivating secure software development practices

Mar 1, 2023 By Simon Maple In Snyk

We often hear about the importance of DevSecOps — integrating security into DevOps processes. But as many security professionals know, it’s not nearly as easy as it sounds. Cultivating secure software development practices requires working alongside developers with varying opinions, priorities, and idiosyncrasies. And any process involving humans is complicated. So, how do today’s security teams overcome these challenges and make secure software development practices a reality?

Read Post

Snyk

Read more about Three expert tips for cultivating secure software development practices

Stranger Danger: Your JavaScript Attack Surface Just Got Bigger

Mar 1, 2023 By Snyk In Snyk

Building JavaScript applications today means that we take a step further from writing code. We use open-source dependencies, create a Dockerfile to deploy containers to the cloud, and orchestrate this infrastructure with Kubernetes. Welcome - you're a cloud native application developer! As developers, our responsibility has broadened, and more software means more software security concerns for us to address.

View Video

Snyk

Read more about Stranger Danger: Your JavaScript Attack Surface Just Got Bigger

Testing the actual security of the most insecure Docker application

Feb 28, 2023 By David Fadida In JFrog

Our previous research on CVE exploitability in the top DockerHub images discovered that 78% of the reported CVEs were actually not exploitable. This time, the JFrog Security Research team used JFrog Xray’s Contextual Analysis feature, automatically analyzing the applicability of reported CVEs, to scan OWASP WebGoat – a deliberately insecure application. The results identified that out of 60 CVEs reported with a Critical CVSS score, only 10 are actually applicable.

Read Post

JFrog

Read more about Testing the actual security of the most insecure Docker application

Responsible disclosure: Access control vulnerability discovered in the ThingsBoard IoT platform

Feb 28, 2023 By Fotios Liatsis In Outpost 24

On December 2022, a security researcher from the Outpost24 Ghost Labs team discovered a vulnerability on the ThingsBoard IoT platform, where a normal user’s privileges can be escalated, by doing a simple post with an additional header, and exploiting the associated flaws, to take control over the entire platform and related accounts. Upon reporting of the vulnerability to the vendor, it was quickly resolved.

Read Post