<?xml version="1.0" encoding="UTF-8"?><rss xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:atom="http://www.w3.org/2005/Atom" version="2.0"><channel><title><![CDATA[GitHub Security Lab]]></title><description><![CDATA[GitHub Security Lab]]></description><link>http://github.com/dylang/node-rss</link><generator>GatsbyJS</generator><lastBuildDate>Sat, 31 Oct 2020 14:20:59 GMT</lastBuildDate><item><title><![CDATA[GHSL-2020-143: Arbitrary Code Execution in FastReports - CVE-2020-27998]]></title><description><![CDATA[FastReports is vulnerable to arbitrary code execution because it compiles and runs C# code from a report template]]></description><link>https://securitylab.github.com/advisories/GHSL-2020-143-FastReportsInc-FastReports</link><guid isPermaLink="false">https://securitylab.github.com/advisories/GHSL-2020-143-FastReportsInc-FastReports</guid><pubDate>Fri, 30 Oct 2020 13:00:00 GMT</pubDate></item><item><title><![CDATA[GHSL-2020-157: Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) in IdentityManager]]></title><description><![CDATA[IdentityManager is vulnerable to Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) that may lead to the elevation of privileges and per-user denial of service (DoS).]]></description><link>https://securitylab.github.com/advisories/GHSL-2020-157-IdentityManager</link><guid isPermaLink="false">https://securitylab.github.com/advisories/GHSL-2020-157-IdentityManager</guid><pubDate>Thu, 29 Oct 2020 13:00:00 GMT</pubDate></item><item><title><![CDATA[GHSL-2020-134: NULL dereference in Samba - CVE-2020-14323]]></title><description><![CDATA[An unprivileged local user may trigger a NULL dereference bug in Samba's Winbind service leading to Denial of Service (DoS)]]></description><link>https://securitylab.github.com/advisories/GHSL-2020-134-samba-winbindd</link><guid isPermaLink="false">https://securitylab.github.com/advisories/GHSL-2020-134-samba-winbindd</guid><pubDate>Thu, 29 Oct 2020 13:00:00 GMT</pubDate></item><item><title><![CDATA[Exploiting a textbook use-after-free in Chrome]]></title><description><![CDATA[In this post I'll give details about how to exploit CVE-2020-6449, a use-after-free (UAF) in the WebAudio module of Chrome that I discovered in March 2020. I'll give an outline of the general strategy to exploit this type of UAF to achieve a sandboxed RCE in Chrome by a single click (and perhaps a 2 minute wait) on a malicious website.]]></description><link>https://securitylab.github.com/research/CVE-2020-6449-exploit-chrome-uaf</link><guid isPermaLink="false">https://securitylab.github.com/research/CVE-2020-6449-exploit-chrome-uaf</guid><pubDate>Tue, 27 Oct 2020 13:00:00 GMT</pubDate></item><item><title><![CDATA[Hack this repository: The EkoParty 2020 GitHub CTF challenges]]></title><description><![CDATA[In this post we recap the intended solutions for the GitHub levels of the EkoParty 2020 main CTF.]]></description><link>https://securitylab.github.com/research/ekoparty-ctf</link><guid isPermaLink="false">https://securitylab.github.com/research/ekoparty-ctf</guid><pubDate>Tue, 20 Oct 2020 13:00:00 GMT</pubDate></item><item><title><![CDATA[GHSL-2020-074, 077, 078: Memory corruptions in HPLIP - CVE-2020-6923]]></title><description><![CDATA[HPLIP contains two memory corruption vulnerabilities which can be triggered by a malicious device or computer that is connected to the same network.]]></description><link>https://securitylab.github.com/advisories/GHSL-2020-074-hplip</link><guid isPermaLink="false">https://securitylab.github.com/advisories/GHSL-2020-074-hplip</guid><pubDate>Wed, 30 Sep 2020 13:00:00 GMT</pubDate></item><item><title><![CDATA[GHSL-2020-113: Command injection vulnerability in limdu - CVE-2020-4066]]></title><description><![CDATA[The `trainBatch` function has a command injection vulnerability. Clients of the Limdu library are unlikely to be aware of this, so they might unwittingly write code that contains a vulnerability]]></description><link>https://securitylab.github.com/advisories/GHSL-2020-113-limdu</link><guid isPermaLink="false">https://securitylab.github.com/advisories/GHSL-2020-113-limdu</guid><pubDate>Thu, 24 Sep 2020 13:00:00 GMT</pubDate></item><item><title><![CDATA[The Grey area of software security - whose responsibility is it?]]></title><description><![CDATA[Security is a complex area. One software component may break the assumptions made by another component and it is not always clear who should fix the code to remediate the security implications.]]></description><link>https://securitylab.github.com/research/the-gray-area-of-security</link><guid isPermaLink="false">https://securitylab.github.com/research/the-gray-area-of-security</guid><pubDate>Wed, 23 Sep 2020 13:00:00 GMT</pubDate></item><item><title><![CDATA[GHSL-2020-097: Missing hostname validation in twitter-stream - CVE-2020-24392]]></title><description><![CDATA[Missing hostname validation allows an attacker to perform a monster in the middle attack against users of the library.]]></description><link>https://securitylab.github.com/advisories/GHSL-2020-097-voloko-twitter-stream</link><guid isPermaLink="false">https://securitylab.github.com/advisories/GHSL-2020-097-voloko-twitter-stream</guid><pubDate>Tue, 22 Sep 2020 13:00:00 GMT</pubDate></item><item><title><![CDATA[GHSL-2020-096: Missing hostname validation in tweetstream - CVE-2020-24393]]></title><description><![CDATA[Missing hostname validation allows an attacker to perform a monster in the middle attack against users of tweetstream]]></description><link>https://securitylab.github.com/advisories/GHSL-2020-096-tweetstream-tweetstream</link><guid isPermaLink="false">https://securitylab.github.com/advisories/GHSL-2020-096-tweetstream-tweetstream</guid><pubDate>Tue, 22 Sep 2020 13:00:00 GMT</pubDate></item><item><title><![CDATA[GHSL-2020-145: Command injection on Windows in Opener]]></title><description><![CDATA[Although code execution is part of the intended purpose of Opener, a crafted url can run an arbitrary shell command rather than just launching a browser.]]></description><link>https://securitylab.github.com/advisories/GHSL-2020-145-domenic-opener</link><guid isPermaLink="false">https://securitylab.github.com/advisories/GHSL-2020-145-domenic-opener</guid><pubDate>Wed, 16 Sep 2020 13:00:00 GMT</pubDate></item><item><title><![CDATA[GHSL-2020-140: Open redirect in Traefik - CVE-2020-15129]]></title><description><![CDATA[There exists a potential open redirect vulnerability in Traefik's handling of the `X-Forwarded-Prefix` header. ]]></description><link>https://securitylab.github.com/advisories/GHSL-2020-140-Containous-Traefik</link><guid isPermaLink="false">https://securitylab.github.com/advisories/GHSL-2020-140-Containous-Traefik</guid><pubDate>Mon, 14 Sep 2020 13:00:00 GMT</pubDate></item><item><title><![CDATA[The weakest link]]></title><description><![CDATA[In this post we will talk about how we identified an important design detail in a C library called eventmachine and how it undermined the security of several ruby packages.]]></description><link>https://securitylab.github.com/research/the-weakest-link</link><guid isPermaLink="false">https://securitylab.github.com/research/the-weakest-link</guid><pubDate>Thu, 10 Sep 2020 13:00:00 GMT</pubDate></item><item><title><![CDATA[GHSL-2020-132: SQL Injection in Mailtrain - CVE-2020-24617]]></title><description><![CDATA[SQL injection and missing CSRF protection may lead to Remote Code Execution (RCE) or arbitrary file read.]]></description><link>https://securitylab.github.com/advisories/GHSL-2020-132-Mailtrain</link><guid isPermaLink="false">https://securitylab.github.com/advisories/GHSL-2020-132-Mailtrain</guid><pubDate>Wed, 09 Sep 2020 13:00:00 GMT</pubDate></item><item><title><![CDATA[GHSL-2020-126: Open URL redirect in Orange Forum 1.x.x]]></title><description><![CDATA[There exists an `Open URL redirect` vulnerability in the 1.x.x branch of Orange Forum. An attacker can send an Orange Forum user a crafted link targeting the login page of Orange Forum, redirecting to a malicious site.]]></description><link>https://securitylab.github.com/advisories/GHSL-2020-126-orangeforum</link><guid isPermaLink="false">https://securitylab.github.com/advisories/GHSL-2020-126-orangeforum</guid><pubDate>Tue, 08 Sep 2020 13:00:00 GMT</pubDate></item><item><title><![CDATA[GHSL-2020-133: Path traversal vulnerability in Adobe git-server - CVE-2020-9708]]></title><description><![CDATA[Malicious users may access any Git repository on the server even if it is outside the served root directory]]></description><link>https://securitylab.github.com/advisories/GHSL-2020-133-Adobe-Git-server</link><guid isPermaLink="false">https://securitylab.github.com/advisories/GHSL-2020-133-Adobe-Git-server</guid><pubDate>Wed, 02 Sep 2020 13:00:00 GMT</pubDate></item><item><title><![CDATA[GHSL-2020-109: Command injection in codecov]]></title><description><![CDATA[The `upload` method has a command injection vulnerability. Clients of the `codecov-node` library are unlikely to be aware of this, so they might unwittingly write code that contains a vulnerability.]]></description><link>https://securitylab.github.com/advisories/GHSL-2020-109-codecov</link><guid isPermaLink="false">https://securitylab.github.com/advisories/GHSL-2020-109-codecov</guid><pubDate>Mon, 31 Aug 2020 13:00:00 GMT</pubDate></item><item><title><![CDATA[Now you C me, now you don't: An introduction to the hidden attack surface of interpreted languages]]></title><description><![CDATA[Aimed at developers, in this series we introduce and explore the memory unsafe attack surface of interpreted languages.]]></description><link>https://securitylab.github.com/research/now-you-c-me</link><guid isPermaLink="false">https://securitylab.github.com/research/now-you-c-me</guid><pubDate>Thu, 27 Aug 2020 13:00:00 GMT</pubDate></item><item><title><![CDATA[GHSL-2020-095 : Monster in the middle attack in em-imap - CVE-2020-13163]]></title><description><![CDATA[Missing hostname validation allows an attacker to perform a monster in the middle attack against users of the library.]]></description><link>https://securitylab.github.com/advisories/GHSL-2020-095-conradirwin-em-imap</link><guid isPermaLink="false">https://securitylab.github.com/advisories/GHSL-2020-095-conradirwin-em-imap</guid><pubDate>Wed, 26 Aug 2020 13:00:00 GMT</pubDate></item><item><title><![CDATA[GHSL-2020-076: Server-Side Template Injection in Cascade CMS]]></title><description><![CDATA[A user with privileges to edit templates may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running Cascade CMS.]]></description><link>https://securitylab.github.com/advisories/GHSL-2020-076-cascade_cms</link><guid isPermaLink="false">https://securitylab.github.com/advisories/GHSL-2020-076-cascade_cms</guid><pubDate>Wed, 19 Aug 2020 13:00:00 GMT</pubDate></item><item><title><![CDATA[GHSL-2020-046: Server-Side Template Injection in XWiki]]></title><description><![CDATA[A user with privileges to edit wiki content may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running XWiki.]]></description><link>https://securitylab.github.com/advisories/GHSL-2020-046-xwiki</link><guid isPermaLink="false">https://securitylab.github.com/advisories/GHSL-2020-046-xwiki</guid><pubDate>Wed, 19 Aug 2020 13:00:00 GMT</pubDate></item><item><title><![CDATA[GHSL-2020-042: Server-Side Template Injection in Crafter CMS]]></title><description><![CDATA[A user with privileges to edit a FreeMarker template may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running Crafter CMS.]]></description><link>https://securitylab.github.com/advisories/GHSL-2020-042-crafter_cms</link><guid isPermaLink="false">https://securitylab.github.com/advisories/GHSL-2020-042-crafter_cms</guid><pubDate>Wed, 19 Aug 2020 13:00:00 GMT</pubDate></item><item><title><![CDATA[GHSL-2020-086, 087, 088, 089 - Server-Side Template Injection in Apache Camel - CVE-2020-11994]]></title><description><![CDATA[Apache Camel FreeMarker, Velocity, MVEL and Moustache components are vulnerable to Server-Side Template Injection (SSTI) leading to Remote Code Execution (RCE) or Arbitrary File Disclosure.]]></description><link>https://securitylab.github.com/advisories/GHSL-2020-086-087-088-089-apache-camel</link><guid isPermaLink="false">https://securitylab.github.com/advisories/GHSL-2020-086-087-088-089-apache-camel</guid><pubDate>Mon, 17 Aug 2020 13:00:00 GMT</pubDate></item><item><title><![CDATA[GHSL-2020-069: Unsafe deserialization of XMLRPC arguments in ApacheOfBiz - CVE-2020-9496]]></title><description><![CDATA[Apache OfBiz is vulnerable to pre-auth Remote Code Execution (RCE) via unsafe deserialization.]]></description><link>https://securitylab.github.com/advisories/GHSL-2020-069-apache_ofbiz</link><guid isPermaLink="false">https://securitylab.github.com/advisories/GHSL-2020-069-apache_ofbiz</guid><pubDate>Wed, 12 Aug 2020 13:00:00 GMT</pubDate></item><item><title><![CDATA[GHSL-2020-068: Cross-Site Scripting in Apache OfBiz - CVE-2020-9496]]></title><description><![CDATA[Apache OfBiz is vulnerable to Reflected Cross-Site Scripting through POST request]]></description><link>https://securitylab.github.com/advisories/GHSL-2020-068-apache_ofbiz</link><guid isPermaLink="false">https://securitylab.github.com/advisories/GHSL-2020-068-apache_ofbiz</guid><pubDate>Wed, 12 Aug 2020 13:00:00 GMT</pubDate></item><item><title><![CDATA[Fuzzing sockets, part 2: FreeRDP]]></title><description><![CDATA[In this second installment, I’ll delve into the research conducted on FreeRDP (http://www.freerdp.com/). ]]></description><link>https://securitylab.github.com/research/fuzzing-sockets-FreeRDP</link><guid isPermaLink="false">https://securitylab.github.com/research/fuzzing-sockets-FreeRDP</guid><pubDate>Tue, 11 Aug 2020 13:00:00 GMT</pubDate></item><item><title><![CDATA[Room for Escape: Scribbling Outside the Lines of Template Security]]></title><description><![CDATA[in this Q&A with Alvaro Muñoz, dive in a recent research that uncovered more than 30 CVEs across 20 different CMS.]]></description><link>https://securitylab.github.com/research/template-security-ssti</link><guid isPermaLink="false">https://securitylab.github.com/research/template-security-ssti</guid><pubDate>Thu, 06 Aug 2020 13:00:00 GMT</pubDate></item><item><title><![CDATA[GHSL-2020-111: Command injection vulnerability in standard-version]]></title><description><![CDATA[The GitHub Security Lab team has identified a potential security vulnerability in standard-version.]]></description><link>https://securitylab.github.com/advisories/GHSL-2020-111-standard-version</link><guid isPermaLink="false">https://securitylab.github.com/advisories/GHSL-2020-111-standard-version</guid><pubDate>Thu, 06 Aug 2020 13:00:00 GMT</pubDate></item><item><title><![CDATA[GHSL-2020-072: Arbitrary file disclosure in JinJava - CVE-2020-12668]]></title><description><![CDATA[A user with privileges to write JinJava templates, for example in a CMS context, will be able to read arbitrary files from the file system.]]></description><link>https://securitylab.github.com/advisories/GHSL-2020-072-hubspot_jinjava</link><guid isPermaLink="false">https://securitylab.github.com/advisories/GHSL-2020-072-hubspot_jinjava</guid><pubDate>Wed, 29 Jul 2020 13:00:00 GMT</pubDate></item><item><title><![CDATA[Fuzzing software: advanced tricks (Part 2)]]></title><description><![CDATA[In this second part of a two-part series about common challenges you usually face in your fuzzing work, we'll visit some advanced fuzzing tricks.]]></description><link>https://securitylab.github.com/research/fuzzing-software-2</link><guid isPermaLink="false">https://securitylab.github.com/research/fuzzing-software-2</guid><pubDate>Tue, 28 Jul 2020 13:00:00 GMT</pubDate></item><item><title><![CDATA[GHSL-2020-071: Server-side template injection in Lithium CMS]]></title><description><![CDATA[A user with privileges to edit a FreeMarker template may execute arbitrary Java code or run arbitrary system commands with escalated privileges.]]></description><link>https://securitylab.github.com/advisories/GHSL-2020-071-lithium_cms</link><guid isPermaLink="false">https://securitylab.github.com/advisories/GHSL-2020-071-lithium_cms</guid><pubDate>Mon, 27 Jul 2020 13:00:00 GMT</pubDate></item><item><title><![CDATA[GHSL-2020-047: Server-side template injection in dotCMS]]></title><description><![CDATA[A user with privileges to edit templates may execute arbitrary Java code or run arbitrary system commands with escalated privileges.]]></description><link>https://securitylab.github.com/advisories/GHSL-2020-047-dotCMS</link><guid isPermaLink="false">https://securitylab.github.com/advisories/GHSL-2020-047-dotCMS</guid><pubDate>Wed, 22 Jul 2020 13:00:00 GMT</pubDate></item><item><title><![CDATA[GHSL-2020-045: Server-side template injection in Atlassian Confluence - CVE-2020-4027]]></title><description><![CDATA[A user with privileges to edit User macros may execute arbitrary Java code or run arbitrary system commands with escalated privileges.]]></description><link>https://securitylab.github.com/advisories/GHSL-2020-045-atlassian_confluence</link><guid isPermaLink="false">https://securitylab.github.com/advisories/GHSL-2020-045-atlassian_confluence</guid><pubDate>Mon, 20 Jul 2020 13:00:00 GMT</pubDate></item><item><title><![CDATA[GHSL-2020-043: Server-side template injection in Liferay - CVE-2020-13445]]></title><description><![CDATA[A user with privileges to edit FreeMarker or Velocity templates may execute arbitrary Java code or run arbitrary system commands with escalated privileges.]]></description><link>https://securitylab.github.com/advisories/GHSL-2020-043-liferay_ce</link><guid isPermaLink="false">https://securitylab.github.com/advisories/GHSL-2020-043-liferay_ce</guid><pubDate>Wed, 15 Jul 2020 13:00:00 GMT</pubDate></item><item><title><![CDATA[GHSL-2020-039: Server-side template injection in Alfresco - CVE-2020-12873]]></title><description><![CDATA[A user with privileges to edit a FreeMarker template may execute arbitrary Java code or run arbitrary system commands with escalated privileges.]]></description><link>https://securitylab.github.com/advisories/GHSL-2020-039-alfresco</link><guid isPermaLink="false">https://securitylab.github.com/advisories/GHSL-2020-039-alfresco</guid><pubDate>Wed, 15 Jul 2020 13:00:00 GMT</pubDate></item><item><title><![CDATA[Structured fuzzing Android's NFC]]></title><description><![CDATA[In this post I'll give some details of how to use libprotobuf-mutator on Android to fuzz the NFC component.]]></description><link>https://securitylab.github.com/research/fuzzing_android_nfc</link><guid isPermaLink="false">https://securitylab.github.com/research/fuzzing_android_nfc</guid><pubDate>Tue, 14 Jul 2020 13:00:00 GMT</pubDate></item><item><title><![CDATA[Bean Stalking: Growing Java beans into RCE]]></title><description><![CDATA[In this post I'll show how input validation which should be used to prevent malformed inputs to enter our applications, open up the doors to Remote Code Execution (RCE).]]></description><link>https://securitylab.github.com/research/bean-validation-RCE</link><guid isPermaLink="false">https://securitylab.github.com/research/bean-validation-RCE</guid><pubDate>Tue, 07 Jul 2020 13:00:00 GMT</pubDate></item><item><title><![CDATA[GHSL-2020-058: OOB read in Apache Guacamole prior to 1.2.0 - CVE-2020-9497]]></title><description><![CDATA[The GitHub Security Lab uncovered an OOB read vulnerability in Apache Guacamole prior to version 1.2.0 which may lead to information leak.]]></description><link>https://securitylab.github.com/advisories/GHSL-2020-058-apache-guacamole-server</link><guid isPermaLink="false">https://securitylab.github.com/advisories/GHSL-2020-058-apache-guacamole-server</guid><pubDate>Mon, 06 Jul 2020 13:00:00 GMT</pubDate></item><item><title><![CDATA[GHSL-2020-128: OOB read vulnerability in FreeRDP RLEDECOMPRESS - CVE-2020-4033]]></title><description><![CDATA[The GitHub Security Lab team has uncovered an OOB read vulnerability in FreeRDP's RLEDECOMPRESS function.]]></description><link>https://securitylab.github.com/advisories/GHSL-2020-128-FreeRDP</link><guid isPermaLink="false">https://securitylab.github.com/advisories/GHSL-2020-128-FreeRDP</guid><pubDate>Wed, 01 Jul 2020 13:00:00 GMT</pubDate></item><item><title><![CDATA[GHSL-2020-125: integer signedness mismatch vulnerability in FreeRDP leads to OOB read - CVE-2020-4032]]></title><description><![CDATA[The GitHub Security Lab team has uncovered an integer signedness mismatch vulnerability in FreeRDP's update_recv_secondary_order function which leads to an OOB read vulnerability.]]></description><link>https://securitylab.github.com/advisories/GHSL-2020-125-FreeRDP</link><guid isPermaLink="false">https://securitylab.github.com/advisories/GHSL-2020-125-FreeRDP</guid><pubDate>Wed, 01 Jul 2020 13:00:00 GMT</pubDate></item><item><title><![CDATA[GHSL-2020-124: OOB read vulnerability in FreeRDP update_recv_primary_order - CVE-2020-11095]]></title><description><![CDATA[The GitHub Security Lab team has uncovered an OOB read vulnerability in FreeRDP's update_recv_primary_order function.]]></description><link>https://securitylab.github.com/advisories/GHSL-2020-124-FreeRDP</link><guid isPermaLink="false">https://securitylab.github.com/advisories/GHSL-2020-124-FreeRDP</guid><pubDate>Wed, 01 Jul 2020 13:00:00 GMT</pubDate></item><item><title><![CDATA[GHSL-2020-107: OOB read vulnerability in FreeRDP update_read_cache_bitmap_v3_order - CVE-2020-11096]]></title><description><![CDATA[The GitHub Security Lab team uncovered an OOB read vulnerability in FreeRDP's update_read_cache_bitmap_v3_order function.]]></description><link>https://securitylab.github.com/advisories/GHSL-2020-107-FreeRDP</link><guid isPermaLink="false">https://securitylab.github.com/advisories/GHSL-2020-107-FreeRDP</guid><pubDate>Wed, 01 Jul 2020 13:00:00 GMT</pubDate></item><item><title><![CDATA[GHSL-2020-106: integer signedness mismatch leading to OOB read in FreeRDP - CVE-2020-4030]]></title><description><![CDATA[The GitHub Security Lab team has uncovered an integer signedness mismatch vulnerability in FreeRDP leading to OOB read.]]></description><link>https://securitylab.github.com/advisories/GHSL-2020-106-FreeRDP</link><guid isPermaLink="false">https://securitylab.github.com/advisories/GHSL-2020-106-FreeRDP</guid><pubDate>Wed, 01 Jul 2020 13:00:00 GMT</pubDate></item><item><title><![CDATA[GHSL-2020-105: OOB read vulnerability in FreeRDP glyph_cache_put - CVE-2020-11098]]></title><description><![CDATA[The GitHub Security Lab team uncovered an OOB read vulnerability in FreeRDP's glyph_cache_put function]]></description><link>https://securitylab.github.com/advisories/GHSL-2020-105-FreeRDP</link><guid isPermaLink="false">https://securitylab.github.com/advisories/GHSL-2020-105-FreeRDP</guid><pubDate>Wed, 01 Jul 2020 13:00:00 GMT</pubDate></item><item><title><![CDATA[GHSL-2020-104: OOB read vulnerability in FreeRDP ntlm_av_pair_get - CVE-2020-11097]]></title><description><![CDATA[The GitHub Security Lab team uncovered an OOB read vulnerability in FreeRDP's ntlm_av_pair_get function.]]></description><link>https://securitylab.github.com/advisories/GHSL-2020-104-FreeRDP</link><guid isPermaLink="false">https://securitylab.github.com/advisories/GHSL-2020-104-FreeRDP</guid><pubDate>Wed, 01 Jul 2020 13:00:00 GMT</pubDate></item><item><title><![CDATA[GHSL-2020-103: OOB read vulnerability in FreeRDP license_read_new_or_upgrade_license_packet - CVE-2020-11099]]></title><description><![CDATA[The GitHub Security Lab team uncovered an OOB read vulnerability in FreeRDP's license_read_new_or_upgrade_license_packet function.]]></description><link>https://securitylab.github.com/advisories/GHSL-2020-103-FreeRDP</link><guid isPermaLink="false">https://securitylab.github.com/advisories/GHSL-2020-103-FreeRDP</guid><pubDate>Wed, 01 Jul 2020 13:00:00 GMT</pubDate></item><item><title><![CDATA[GHSL-2020-122: Command injection in git-diff-apply]]></title><description><![CDATA[The GitHub Security Lab team has identified a potential remote code execution in git-diff-apply.]]></description><link>https://securitylab.github.com/advisories/GHSL-2020-122-rce-git-diff-apply</link><guid isPermaLink="false">https://securitylab.github.com/advisories/GHSL-2020-122-rce-git-diff-apply</guid><pubDate>Wed, 24 Jun 2020 13:00:00 GMT</pubDate></item><item><title><![CDATA[GHSL-2020-110: Command Injection in mversion]]></title><description><![CDATA[The GitHub Security Lab team has identified a potential remote code execution in mversion]]></description><link>https://securitylab.github.com/advisories/GHSL-2020-110-rce-mversion</link><guid isPermaLink="false">https://securitylab.github.com/advisories/GHSL-2020-110-rce-mversion</guid><pubDate>Wed, 24 Jun 2020 13:00:00 GMT</pubDate></item><item><title><![CDATA[Variant analysis of Web Audio callback vulnerabilities in Chrome]]></title><description><![CDATA[In this post I'll look at some use-after-free vulnerabilities in Chrome which were the result of object lifetime misassumptions based on objects being kept alive unexpectedly in audio callbacks.]]></description><link>https://securitylab.github.com/research/chrome_task_queue_uaf</link><guid isPermaLink="false">https://securitylab.github.com/research/chrome_task_queue_uaf</guid><pubDate>Tue, 23 Jun 2020 13:00:00 GMT</pubDate></item><item><title><![CDATA[Last orders at the House of Force]]></title><description><![CDATA[A glibc heap exploitation tutorial, using a heap buffer overflow in SANE Backends as an example.]]></description><link>https://securitylab.github.com/research/last-orders-at-the-house-of-force</link><guid isPermaLink="false">https://securitylab.github.com/research/last-orders-at-the-house-of-force</guid><pubDate>Thu, 18 Jun 2020 13:00:00 GMT</pubDate></item><item><title><![CDATA[GHSL-2020-119: command injection vulnerability in node-dns-sync resolve method - CVE-2020-11079]]></title><description><![CDATA[The Github team has identified a command injection vulnerability in the resolve method of the node-dns-sync library.]]></description><link>https://securitylab.github.com/advisories/GHSL-2020-119-node-dns-sync</link><guid isPermaLink="false">https://securitylab.github.com/advisories/GHSL-2020-119-node-dns-sync</guid><pubDate>Wed, 17 Jun 2020 13:00:00 GMT</pubDate></item><item><title><![CDATA[GHSL-2020-102: Heap overflow in FreeRDP crypto_rsa_common - CVE-2020-13398]]></title><description><![CDATA[The GitHub Security Lab team has identified a heap overflow in FreeRDP's crypto_rsa_common function.]]></description><link>https://securitylab.github.com/advisories/GHSL-2020-102-FreeRDP</link><guid isPermaLink="false">https://securitylab.github.com/advisories/GHSL-2020-102-FreeRDP</guid><pubDate>Wed, 17 Jun 2020 13:00:00 GMT</pubDate></item><item><title><![CDATA[GHSL-2020-101: NULL dereference in FreeRDP FIPS routines - CVE-2020-13397]]></title><description><![CDATA[The GitHub Security Lab team identified a NULL dereference in FreeRDP's libfreerdp.]]></description><link>https://securitylab.github.com/advisories/GHSL-2020-101-FreeRDP</link><guid isPermaLink="false">https://securitylab.github.com/advisories/GHSL-2020-101-FreeRDP</guid><pubDate>Wed, 17 Jun 2020 13:00:00 GMT</pubDate></item><item><title><![CDATA[GHSL-2020-100: Out of Bounds (OOB) read vulnerability in FreeRDP - CVE-2020-13396]]></title><description><![CDATA[The GitHub Security Lab team has identified an Out of Bounds read vulnerability in FreeRDP's ntlm_read_ChallengeMessage function.]]></description><link>https://securitylab.github.com/advisories/GHSL-2020-100-FreeRDP</link><guid isPermaLink="false">https://securitylab.github.com/advisories/GHSL-2020-100-FreeRDP</guid><pubDate>Wed, 17 Jun 2020 13:00:00 GMT</pubDate></item><item><title><![CDATA[GHSL-2020-099: mXSS vulnerability in AngularJS]]></title><description><![CDATA[The GitHub Security Lab team has found a potential mXSS vulnerabulity in AngularJS.]]></description><link>https://securitylab.github.com/advisories/GHSL-2020-099-mxss-angular</link><guid isPermaLink="false">https://securitylab.github.com/advisories/GHSL-2020-099-mxss-angular</guid><pubDate>Wed, 17 Jun 2020 13:00:00 GMT</pubDate></item><item><title><![CDATA[GHSL-2020-094: Missing SSL/TLS certificate hostname validation in em-http-request - CVE-2020-13482]]></title><description><![CDATA[The GitHub Security Lab team uncovered a missing hostname validation vulnerability in the em-http-request library that allows an attacker to perform a Person In The Middle (PITM) attack against users of the library.]]></description><link>https://securitylab.github.com/advisories/GHSL-2020-094-igrigorik-em-http-request</link><guid isPermaLink="false">https://securitylab.github.com/advisories/GHSL-2020-094-igrigorik-em-http-request</guid><pubDate>Wed, 17 Jun 2020 13:00:00 GMT</pubDate></item><item><title><![CDATA[GHSL-2020-075, GHSL-2020-079, GHSL-2020-080, GHSL-2020-081, GHSL-2020-082, GHSL-2020-083, GHSL-2020-084: Multiple vulnerabilities in SANE Backends (DoS, RCE)]]></title><description><![CDATA[The GitHub Security Lab team identified multiple memory corruption vulnerabilities in SANE Backends which may lead to Denial of Service (DoS) and Remote Code Execution (RCE).]]></description><link>https://securitylab.github.com/advisories/GHSL-2020-075-libsane</link><guid isPermaLink="false">https://securitylab.github.com/advisories/GHSL-2020-075-libsane</guid><pubDate>Wed, 17 Jun 2020 13:00:00 GMT</pubDate></item><item><title><![CDATA[GHSL-2020-064: integer overflow in LibVNCClient HandleCursorShape resulting in remote heap overflow - CVE-2019-20788]]></title><description><![CDATA[The GitHub Security Lab team detected an integer overflow in LibVNCClient HandleCursorShape RFB event handler.]]></description><link>https://securitylab.github.com/advisories/GHSL-2020-064-libvnc-libvncclient</link><guid isPermaLink="false">https://securitylab.github.com/advisories/GHSL-2020-064-libvnc-libvncclient</guid><pubDate>Wed, 17 Jun 2020 13:00:00 GMT</pubDate></item><item><title><![CDATA[GHSL-2020-057: dbus file descriptor leak (DoS) - CVE-2020-12049]]></title><description><![CDATA[The GitHub Security Lab team has identified a file descriptor leak in dbus that can lead to local Denial of Service.]]></description><link>https://securitylab.github.com/advisories/GHSL-2020-057-DBus-DoS-file-descriptor-leak</link><guid isPermaLink="false">https://securitylab.github.com/advisories/GHSL-2020-057-DBus-DoS-file-descriptor-leak</guid><pubDate>Wed, 17 Jun 2020 13:00:00 GMT</pubDate></item><item><title><![CDATA[The Octopus Scanner Malware: Attacking the open source supply chain]]></title><description><![CDATA[This post details how an open source supply chain malware spread through build artifacts. 26 open source projects were backdoored by this malware and were actively serving backdoored code.]]></description><link>https://securitylab.github.com/research/octopus-scanner-malware-open-source-supply-chain</link><guid isPermaLink="false">https://securitylab.github.com/research/octopus-scanner-malware-open-source-supply-chain</guid><pubDate>Thu, 28 May 2020 13:00:00 GMT</pubDate></item><item><title><![CDATA[GHSL-2020-073: Path traversal in Jooby - CVE-2020-7647]]></title><description><![CDATA[The GitHub Security Lab team has identified a path traversal vulnerability in Jooby that can lead to information disclosure.]]></description><link>https://securitylab.github.com/advisories/GHSL-2020-073-jooby</link><guid isPermaLink="false">https://securitylab.github.com/advisories/GHSL-2020-073-jooby</guid><pubDate>Tue, 26 May 2020 13:00:00 GMT</pubDate></item><item><title><![CDATA[Hot lava: A case study in hunting for network integer arithmetic flaws]]></title><description><![CDATA[We examine the dangers of network integer arithmetic based on a case study of flaws reported to the ntop project.]]></description><link>https://securitylab.github.com/research/network-integers-are-hot-lava</link><guid isPermaLink="false">https://securitylab.github.com/research/network-integers-are-hot-lava</guid><pubDate>Tue, 12 May 2020 13:00:00 GMT</pubDate></item><item><title><![CDATA[GHSL-2020-055: Server-Side Template Injection in Apache Syncope (RCE) - CVE-2019-17557]]></title><description><![CDATA[The GitHub Security Lab team has identified several potential security vulnerabilities in Apache Syncope, including RCE and XSS.]]></description><link>https://securitylab.github.com/advisories/GHSL-2020-055-apache-syncope</link><guid isPermaLink="false">https://securitylab.github.com/advisories/GHSL-2020-055-apache-syncope</guid><pubDate>Mon, 11 May 2020 13:00:00 GMT</pubDate></item><item><title><![CDATA[GHSL-2020-054: XSS in Apache Syncope - CVE-2020-1961]]></title><description><![CDATA[The GitHub Security Lab team has identified a XSS vulnerability in Apache Syncope.]]></description><link>https://securitylab.github.com/advisories/GHSL-2020-054-apache-syncope</link><guid isPermaLink="false">https://securitylab.github.com/advisories/GHSL-2020-054-apache-syncope</guid><pubDate>Mon, 11 May 2020 13:00:00 GMT</pubDate></item><item><title><![CDATA[GHSL-2020-029: Server-Side template injection in Apache Syncope (RCE) - CVE-2020-1959]]></title><description><![CDATA[The GitHub Security Labs team has identified a Server-Side template injection vulnerability in Apache Syncope, which leads to RCE.]]></description><link>https://securitylab.github.com/advisories/GHSL-2020-029-apache-syncope</link><guid isPermaLink="false">https://securitylab.github.com/advisories/GHSL-2020-029-apache-syncope</guid><pubDate>Mon, 11 May 2020 13:00:00 GMT</pubDate></item><item><title><![CDATA[GHSL-2020-020: EL expression input sanitation bypass in Hibernate Validator - CVE-2020-10693]]></title><description><![CDATA[The GitHub Security Labs team has identified an EL expression input sanitation bypass vulnerability in Hibernate Validator.]]></description><link>https://securitylab.github.com/advisories/GHSL-2020-020-hibernate-validator</link><guid isPermaLink="false">https://securitylab.github.com/advisories/GHSL-2020-020-hibernate-validator</guid><pubDate>Mon, 11 May 2020 13:00:00 GMT</pubDate></item><item><title><![CDATA[Triggering garbage collection with rejected promises to cause use-after-free in Chrome]]></title><description><![CDATA[In this post I'll show how garbage collections (GC) in Chrome may be triggered with small memory allocations in unexpected places, which was then used to cause a use-after-free bug.]]></description><link>https://securitylab.github.com/research/garbage-collection-uaf-chrome_gc</link><guid isPermaLink="false">https://securitylab.github.com/research/garbage-collection-uaf-chrome_gc</guid><pubDate>Tue, 28 Apr 2020 13:00:00 GMT</pubDate></item><item><title><![CDATA[GHSL-2020-085: Open redirect vulnerability in Sourcegraph - CVE-2020-12283]]></title><description><![CDATA[By exploiting an open redirect vulnerability, an attacker could potentially redirect a victim to any arbitrary URL and access their OAUTH token.]]></description><link>https://securitylab.github.com/advisories/GHSL-2020-085-sourcegraph</link><guid isPermaLink="false">https://securitylab.github.com/advisories/GHSL-2020-085-sourcegraph</guid><pubDate>Tue, 28 Apr 2020 13:00:00 GMT</pubDate></item><item><title><![CDATA[GHSL-2020-051, GHSL-2020-052: Multiple vulnerabilities in NTOP nDPI]]></title><description><![CDATA[The GitHub Security Lab team has identified several potential security vulnerabilities in NTOP nDPI, including RCE and DoS.]]></description><link>https://securitylab.github.com/advisories/GHSL-2020-051_052-ntop-ndpi</link><guid isPermaLink="false">https://securitylab.github.com/advisories/GHSL-2020-051_052-ntop-ndpi</guid><pubDate>Tue, 21 Apr 2020 13:00:00 GMT</pubDate></item><item><title><![CDATA[GHSL-2020-010: Out-Of-Bounds write in Android Open Source Project - CVE-2020-0070]]></title><description><![CDATA[An OOB write in AOSP allows an attacker within NFC range to obtain remote code execution on android device's NFC daemon.]]></description><link>https://securitylab.github.com/advisories/GHSL-2020-010-aosp</link><guid isPermaLink="false">https://securitylab.github.com/advisories/GHSL-2020-010-aosp</guid><pubDate>Tue, 21 Apr 2020 13:00:00 GMT</pubDate></item><item><title><![CDATA[GHSL-2020-008: Out-Of-Bounds write in Android Open Source Project - CVE-2020-0071]]></title><description><![CDATA[An OOB write in AOSP allows an attacker within NFC range to obtain remote code execution on android device's NFC daemon.]]></description><link>https://securitylab.github.com/advisories/GHSL-2020-008-aosp</link><guid isPermaLink="false">https://securitylab.github.com/advisories/GHSL-2020-008-aosp</guid><pubDate>Tue, 21 Apr 2020 13:00:00 GMT</pubDate></item><item><title><![CDATA[GHSL-2020-007: Out-of-bounds write in Android Open Source Project - CVE-2020-0072]]></title><description><![CDATA[An OOB write in AOSP allows an attacker within NFC range to obtain remote code execution on android device's NFC daemon.]]></description><link>https://securitylab.github.com/advisories/GHSL-2020-007-aosp</link><guid isPermaLink="false">https://securitylab.github.com/advisories/GHSL-2020-007-aosp</guid><pubDate>Tue, 21 Apr 2020 13:00:00 GMT</pubDate></item><item><title><![CDATA[GHSL-2020-006: Out-Of-Bounds write in Android Open Source Project - CVE-2020-0073]]></title><description><![CDATA[An OOB write in AOSP allows an attacker within NFC range to obtain remote code execution on android device's NFC daemon.]]></description><link>https://securitylab.github.com/advisories/GHSL-2020-006-aosp</link><guid isPermaLink="false">https://securitylab.github.com/advisories/GHSL-2020-006-aosp</guid><pubDate>Tue, 21 Apr 2020 13:00:00 GMT</pubDate></item><item><title><![CDATA[GHSL-2020-031: SQL injection in PureFTPd]]></title><description><![CDATA[Improper sanitization of SQL queries lead to SQL injection via a configuration file.]]></description><link>https://securitylab.github.com/advisories/GHSL-2020-031-PureFTPD</link><guid isPermaLink="false">https://securitylab.github.com/advisories/GHSL-2020-031-PureFTPD</guid><pubDate>Mon, 20 Apr 2020 13:00:00 GMT</pubDate></item><item><title><![CDATA[GHSL-2020-053: Use After Free in Chrome WebAudio]]></title><description><![CDATA[The GitHub Security Labs team has identified a Use after free in Chrome WebAudio.]]></description><link>https://securitylab.github.com/advisories/GHSL-2020-053-chrome</link><guid isPermaLink="false">https://securitylab.github.com/advisories/GHSL-2020-053-chrome</guid><pubDate>Thu, 16 Apr 2020 13:00:00 GMT</pubDate></item><item><title><![CDATA[GHSL-2020-041: Use After Free in Chrome WebAudio]]></title><description><![CDATA[The GitHub Security Labs team has identified a Use after free in Chrome WebAudio.]]></description><link>https://securitylab.github.com/advisories/GHSL-2020-041-chrome</link><guid isPermaLink="false">https://securitylab.github.com/advisories/GHSL-2020-041-chrome</guid><pubDate>Thu, 16 Apr 2020 13:00:00 GMT</pubDate></item><item><title><![CDATA[GHSL-2020-040: Use After Free in Chrome WebAudio]]></title><description><![CDATA[The GitHub Security Labs team has identified a Use after free in Chrome WebAudio.]]></description><link>https://securitylab.github.com/advisories/GHSL-2020-040-chrome</link><guid isPermaLink="false">https://securitylab.github.com/advisories/GHSL-2020-040-chrome</guid><pubDate>Thu, 16 Apr 2020 13:00:00 GMT</pubDate></item><item><title><![CDATA[GHSL-2020-038: Use after free in Chrome WebAudio]]></title><description><![CDATA[The GitHub Security Labs team has identified a Use after free in Chrome WebAudio.]]></description><link>https://securitylab.github.com/advisories/GHSL-2020-038-chrome</link><guid isPermaLink="false">https://securitylab.github.com/advisories/GHSL-2020-038-chrome</guid><pubDate>Thu, 16 Apr 2020 13:00:00 GMT</pubDate></item><item><title><![CDATA[GHSL-2020-037: Use after free in Chrome WebAudio]]></title><description><![CDATA[The GitHub Security Labs team has identified a Use after free in Chrome WebAudio.]]></description><link>https://securitylab.github.com/advisories/GHSL-2020-037-chrome</link><guid isPermaLink="false">https://securitylab.github.com/advisories/GHSL-2020-037-chrome</guid><pubDate>Thu, 16 Apr 2020 13:00:00 GMT</pubDate></item><item><title><![CDATA[GHSL-2020-035: Use after free in Chrome WebAudio]]></title><description><![CDATA[The GitHub Security Labs team has identified a Use after free in Chrome WebAudio.]]></description><link>https://securitylab.github.com/advisories/GHSL-2020-035-chrome</link><guid isPermaLink="false">https://securitylab.github.com/advisories/GHSL-2020-035-chrome</guid><pubDate>Thu, 16 Apr 2020 13:00:00 GMT</pubDate></item><item><title><![CDATA[GHSL-2020-030: Server-Side Template Injection in Dropwizard]]></title><description><![CDATA[Server-Side Template Injection in Dropwizard leading to Remote Code Execution (RCE).]]></description><link>https://securitylab.github.com/advisories/GHSL-2020-030-dropwizard</link><guid isPermaLink="false">https://securitylab.github.com/advisories/GHSL-2020-030-dropwizard</guid><pubDate>Wed, 15 Apr 2020 13:00:00 GMT</pubDate></item><item><title><![CDATA[Fuzzing sockets, part 1: FTP servers]]></title><description><![CDATA[Antonio shares his research on socket-based fuzzing, starting with the audit of three widely-used FTP servers. With details on interesting CVEs found along the way.]]></description><link>https://securitylab.github.com/research/fuzzing-sockets-FTP</link><guid isPermaLink="false">https://securitylab.github.com/research/fuzzing-sockets-FTP</guid><pubDate>Tue, 14 Apr 2020 13:00:00 GMT</pubDate></item><item><title><![CDATA[GHSL-2020-015: Remote Code Execution - Bypass of CVE-2018-16621 mitigations in Nexus Repository Manager]]></title><description><![CDATA[High privileged users can bypass the existing mitigations and inject arbitrary Java EL expressions in Nexus Repository Manager, leading to a Remote Code Execution (RCE) vulnerability.]]></description><link>https://securitylab.github.com/advisories/GHSL-2020-015-nxrm-sonatype</link><guid isPermaLink="false">https://securitylab.github.com/advisories/GHSL-2020-015-nxrm-sonatype</guid><pubDate>Mon, 13 Apr 2020 13:00:00 GMT</pubDate></item><item><title><![CDATA[GHSL-2020-014: Remote Code execution - Dynamic Code Evaluation via Scheduled Tasks in Nexus Repository Manager]]></title><description><![CDATA[It is possible for a user with the right permissions to execute arbitrary groovy or javascript scripts resulting in remote code execution.]]></description><link>https://securitylab.github.com/advisories/GHSL-2020-014-nxrm-sonatype</link><guid isPermaLink="false">https://securitylab.github.com/advisories/GHSL-2020-014-nxrm-sonatype</guid><pubDate>Mon, 13 Apr 2020 13:00:00 GMT</pubDate></item><item><title><![CDATA[GHSL-2020-013: Remote Code Execution - Dynamic Code Evaluation via Scripts in Nexus Repository Manager]]></title><description><![CDATA[It is possible for a user with the right permissions to execute arbitrary groovy or javascript scripts resulting in remote code execution.]]></description><link>https://securitylab.github.com/advisories/GHSL-2020-013-nxrm-sonatype</link><guid isPermaLink="false">https://securitylab.github.com/advisories/GHSL-2020-013-nxrm-sonatype</guid><pubDate>Mon, 13 Apr 2020 13:00:00 GMT</pubDate></item><item><title><![CDATA[GHSL-2020-012: Remote Code Execution - JavaEL Injection (high privileged accounts) in Nexus Repository Manager]]></title><description><![CDATA[High privileged users can inject arbitrary Java EL expressions in Nexus Repository Manager, leading to a Remote Code Execution (RCE) vulnerability.]]></description><link>https://securitylab.github.com/advisories/GHSL-2020-012-nxrm-sonatype</link><guid isPermaLink="false">https://securitylab.github.com/advisories/GHSL-2020-012-nxrm-sonatype</guid><pubDate>Mon, 13 Apr 2020 13:00:00 GMT</pubDate></item><item><title><![CDATA[GHSL-2020-009: UAF leads to RCE in ProFTPD]]></title><description><![CDATA[A use-after-free vulnerability in ProFTPD could allow a remote attacker to execute arbitrary code on the affected system.]]></description><link>https://securitylab.github.com/advisories/GHSL-2020-009-ProFTPD</link><guid isPermaLink="false">https://securitylab.github.com/advisories/GHSL-2020-009-ProFTPD</guid><pubDate>Tue, 07 Apr 2020 13:00:00 GMT</pubDate></item><item><title><![CDATA[GHSL-2020-016: Persistent Cross-Site scripting in Nexus Repository Manager]]></title><description><![CDATA[An attacker with elevated privileges can create content selectors with a specially crafted name using the REST API, which when viewed by another user can execute arbitrary JavaScript in the context of the NXRM application.]]></description><link>https://securitylab.github.com/advisories/GHSL-2020-016-nxrm-sonatype</link><guid isPermaLink="false">https://securitylab.github.com/advisories/GHSL-2020-016-nxrm-sonatype</guid><pubDate>Fri, 03 Apr 2020 13:00:00 GMT</pubDate></item><item><title><![CDATA[GHSL-2020-011: Remote Code Execution - JavaEL Injection (low privileged accounts) in Nexus Repository Manager]]></title><description><![CDATA[Attackers can inject arbitrary Java EL expressions in Nexus Repository Manager, leading to a Remote Code Execution (RCE) vulnerability.]]></description><link>https://securitylab.github.com/advisories/GHSL-2020-011-nxrm-sonatype</link><guid isPermaLink="false">https://securitylab.github.com/advisories/GHSL-2020-011-nxrm-sonatype</guid><pubDate>Fri, 03 Apr 2020 13:00:00 GMT</pubDate></item><item><title><![CDATA[Hey look ma, I'm doing crypto!]]></title><description><![CDATA[In this first part of a series about cryptography, Agustin explores identity validation issues in TLS.]]></description><link>https://securitylab.github.com/research/cryptography-first-steps-encryption</link><guid isPermaLink="false">https://securitylab.github.com/research/cryptography-first-steps-encryption</guid><pubDate>Thu, 02 Apr 2020 13:00:00 GMT</pubDate></item><item><title><![CDATA[GHSL-2020-056: Double free in OpenSSL client]]></title><description><![CDATA[The GitHub Security Labs team has identified a security issue in OpenSSL in which an attacker can force a client into freeing the same memory twice.]]></description><link>https://securitylab.github.com/advisories/GHSL-2020-056-openssl</link><guid isPermaLink="false">https://securitylab.github.com/advisories/GHSL-2020-056-openssl</guid><pubDate>Tue, 31 Mar 2020 13:00:00 GMT</pubDate></item><item><title><![CDATA[GHSL-2020-028: Server-Side Template Injection in Netflix Titus]]></title><description><![CDATA[A Server-Side Template Injection was identified in Netflix Titus enabling attackers to inject arbitrary Java EL expressions, leading to a pre-auth Remote Code Execution (RCE) vulnerability.]]></description><link>https://securitylab.github.com/advisories/GHSL-2020-028-netflix-titus</link><guid isPermaLink="false">https://securitylab.github.com/advisories/GHSL-2020-028-netflix-titus</guid><pubDate>Wed, 25 Mar 2020 13:00:00 GMT</pubDate></item><item><title><![CDATA[GHSL-2020-027: Server-Side Template Injection in Netflix Conductor]]></title><description><![CDATA[A Server-Side Template Injection was identified in Netflix Conductor enabling attackers to inject arbitrary Java EL expressions, leading to a pre-auth Remote Code Execution (RCE) vulnerability.]]></description><link>https://securitylab.github.com/advisories/GHSL-2020-027-netflix-conductor</link><guid isPermaLink="false">https://securitylab.github.com/advisories/GHSL-2020-027-netflix-conductor</guid><pubDate>Wed, 25 Mar 2020 13:00:00 GMT</pubDate></item><item><title><![CDATA[CERT partners with GitHub Security Lab for automated remediation of CVE-2020-8597]]></title><description><![CDATA[Learn more about how we found ways to scale our vulnerability hunting efforts and empower others to do the same. In this post, we’ll take a deep-dive in remediation of CVE-2020-8597 with CERT.]]></description><link>https://securitylab.github.com/research/CERT-CVE-2020-8597-automated-remediation-scale</link><guid isPermaLink="false">https://securitylab.github.com/research/CERT-CVE-2020-8597-automated-remediation-scale</guid><pubDate>Wed, 18 Mar 2020 13:00:00 GMT</pubDate></item><item><title><![CDATA[GHSL-2020-032: out-of-bounds (OOB) read vulnerability in PureFTPd]]></title><description><![CDATA[An out-of-bounds (OOB) read vulnerability has been detected in PureFTPd's pure_strcmp function.]]></description><link>https://securitylab.github.com/advisories/GHSL-2020-032-PureFTPD</link><guid isPermaLink="false">https://securitylab.github.com/advisories/GHSL-2020-032-PureFTPD</guid><pubDate>Thu, 12 Mar 2020 13:00:00 GMT</pubDate></item><item><title><![CDATA[GHSL-2020-026: Person in the middle attacks with lua-openssl]]></title><description><![CDATA[Several security issues have been found in the way X509 certificate validation functions are exposed to LUA. Clients using certain functions in lua-openssl are exposed to person-in-the-middle attacks.]]></description><link>https://securitylab.github.com/advisories/GHSL-2020-026-lua-openssl</link><guid isPermaLink="false">https://securitylab.github.com/advisories/GHSL-2020-026-lua-openssl</guid><pubDate>Thu, 12 Mar 2020 13:00:00 GMT</pubDate></item><item><title><![CDATA[GHSL-2020-025: OOB read and DoS in PureFTPd]]></title><description><![CDATA[An uninitialized pointer vulnerability in PureFTPd results in Out-of-Bounds reads and Denial of Service.]]></description><link>https://securitylab.github.com/advisories/GHSL-2020-025-PureFTPD</link><guid isPermaLink="false">https://securitylab.github.com/advisories/GHSL-2020-025-PureFTPD</guid><pubDate>Thu, 12 Mar 2020 13:00:00 GMT</pubDate></item><item><title><![CDATA[GHSL-2020-003, GHSL-2020-004, GHSL-2020-005: Person in the middle attack on openfortivpn clients]]></title><description><![CDATA[Several security issues have been found in the way openfortivpn deals with TLS. These issues can lead to situations in which an attacker can perform a person-in-the-middle attack on clients.]]></description><link>https://securitylab.github.com/advisories/GHSL-2020-003_005-openfortivpn</link><guid isPermaLink="false">https://securitylab.github.com/advisories/GHSL-2020-003_005-openfortivpn</guid><pubDate>Thu, 12 Mar 2020 13:00:00 GMT</pubDate></item><item><title><![CDATA[GHSL-2020-002: out-of-bounds (OOB) read in ProFTPD]]></title><description><![CDATA[An out-of-bounds (OOB) read vulnerability detected in mod_cap.]]></description><link>https://securitylab.github.com/advisories/GHSL-2020-002-ProFTPD</link><guid isPermaLink="false">https://securitylab.github.com/advisories/GHSL-2020-002-ProFTPD</guid><pubDate>Thu, 12 Mar 2020 13:00:00 GMT</pubDate></item><item><title><![CDATA[GHSL-2020-001: Off-by-one heap overflow in Bftpd]]></title><description><![CDATA[Under certain circumstances, an off-by-one heap overflow can occur in the command_retr function.]]></description><link>https://securitylab.github.com/advisories/GHSL-2020-001-Bftpd</link><guid isPermaLink="false">https://securitylab.github.com/advisories/GHSL-2020-001-Bftpd</guid><pubDate>Thu, 12 Mar 2020 13:00:00 GMT</pubDate></item><item><title><![CDATA[CVE-2020-0688 Losing the keys to your kingdom]]></title><description><![CDATA[Learn about how reusing hardcoded HMAC keys led to remote code execution on Exchange servers.]]></description><link>https://securitylab.github.com/research/exchange-rce-CVE-2020-0688</link><guid isPermaLink="false">https://securitylab.github.com/research/exchange-rce-CVE-2020-0688</guid><pubDate>Wed, 04 Mar 2020 14:00:00 GMT</pubDate></item><item><title><![CDATA[CVE-2020-5398 Reflected File Download in Spring MVC/WebFlux]]></title><description><![CDATA[Learn about Reflected File Downloads by reviewing how Spring MVC and WebFlux were affected.]]></description><link>https://securitylab.github.com/research/rfd-spring-mvc-CVE-2020-5398</link><guid isPermaLink="false">https://securitylab.github.com/research/rfd-spring-mvc-CVE-2020-5398</guid><pubDate>Tue, 25 Feb 2020 14:00:00 GMT</pubDate></item><item><title><![CDATA[How to escape from the fuzz]]></title><description><![CDATA[The story of how I became an Exiv2 contributor last year, and joined the struggle to escape from the fuzzing police.]]></description><link>https://securitylab.github.com/research/how-to-escape-from-the-fuzz</link><guid isPermaLink="false">https://securitylab.github.com/research/how-to-escape-from-the-fuzz</guid><pubDate>Thu, 20 Feb 2020 14:00:00 GMT</pubDate></item><item><title><![CDATA[CVE-2019-10779: Cross-site scripting in GCHQ Stroom]]></title><description><![CDATA[GCHQ Stroom is vulnerable to Cross-Site Scripting due to the ability to load the Stroom dashboard on another site and insufficient protection against window event origins.]]></description><link>https://securitylab.github.com/research/gchq-stroom-xss</link><guid isPermaLink="false">https://securitylab.github.com/research/gchq-stroom-xss</guid><pubDate>Tue, 18 Feb 2020 14:00:00 GMT</pubDate></item><item><title><![CDATA[Fuzzing software: common challenges and potential solutions (Part 1) ]]></title><description><![CDATA[This is the first part of a two-part series about common challenges you usually face in your fuzzing work.]]></description><link>https://securitylab.github.com/research/fuzzing-challenges-solutions-1</link><guid isPermaLink="false">https://securitylab.github.com/research/fuzzing-challenges-solutions-1</guid><pubDate>Tue, 28 Jan 2020 14:00:00 GMT</pubDate></item><item><title><![CDATA[Review of Chromium IPC vulnerabilities]]></title><description><![CDATA[In this post I’ll discuss some recent Chromium IPC vulnerabilities discovered by the security research community and how analyzing them helped me to discover new ones.]]></description><link>https://securitylab.github.com/research/chromium-ipc-vulnerabilities</link><guid isPermaLink="false">https://securitylab.github.com/research/chromium-ipc-vulnerabilities</guid><pubDate>Wed, 15 Jan 2020 14:00:00 GMT</pubDate></item><item><title><![CDATA[Ubuntu whoopsie integer overflow vulnerability (CVE-2019-11484)]]></title><description><![CDATA[This is the fourth and final post in a series about Ubuntu's crash reporting system. We'll review CVE-2019-11484, a vulnerability in whoopsie which enables a local attacker to get a shell as the whoopsie user, thereby gaining the ability to read any crash report.]]></description><link>https://securitylab.github.com/research/ubuntu-whoopsie-CVE-2019-11484</link><guid isPermaLink="false">https://securitylab.github.com/research/ubuntu-whoopsie-CVE-2019-11484</guid><pubDate>Mon, 23 Dec 2019 14:00:00 GMT</pubDate></item><item><title><![CDATA[Ubuntu apport PID recycling vulnerability (CVE-2019-15790)]]></title><description><![CDATA[This is the third post in a series about Ubuntu's crash reporting system. We'll review CVE-2019-15790, a vulnerability in apport that enables a local attacker to obtain the ASLR offsets for any process they can start (or restart).]]></description><link>https://securitylab.github.com/research/ubuntu-apport-CVE-2019-15790</link><guid isPermaLink="false">https://securitylab.github.com/research/ubuntu-apport-CVE-2019-15790</guid><pubDate>Thu, 19 Dec 2019 14:00:00 GMT</pubDate></item><item><title><![CDATA[Ubuntu apport TOCTOU vulnerability (CVE-2019-7307)]]></title><description><![CDATA[This is the second post in our series about Ubuntu's crash reporting system. We'll review CVE-2019-7307, a TOCTOU vulnerability that enables a local attacker to include the contents of any file on the system in a crash report.]]></description><link>https://securitylab.github.com/research/ubuntu-apport-CVE-2019-7307</link><guid isPermaLink="false">https://securitylab.github.com/research/ubuntu-apport-CVE-2019-7307</guid><pubDate>Tue, 17 Dec 2019 14:00:00 GMT</pubDate></item><item><title><![CDATA[Whoopsie-daisy: Chaining accidental features of Ubuntu’s crash reporter to get LPE]]></title><link>https://securitylab.github.com/research/ubuntu-whoopsie-daisy-overview</link><guid isPermaLink="false">https://securitylab.github.com/research/ubuntu-whoopsie-daisy-overview</guid><pubDate>Thu, 12 Dec 2019 14:00:00 GMT</pubDate></item><item><title><![CDATA[Bug Hunting with CodeQL, an Rsyslog Case Study]]></title><description><![CDATA[Follow GitHub security researcher Agustin Gianni in his bug hunting process, from threat modeling to variant analysis.]]></description><link>https://securitylab.github.com/research/bug-hunting-codeql-rsyslog</link><guid isPermaLink="false">https://securitylab.github.com/research/bug-hunting-codeql-rsyslog</guid><pubDate>Thu, 14 Nov 2019 14:00:00 GMT</pubDate></item><item><title><![CDATA[Anatomy of a Coffee Bean (Wireless Vulnerabilities in Linux Kernel)]]></title><description><![CDATA[Learn how I found wireless vulnerabilities in the Linux Kernel, and variants, thanks to CodeQL.]]></description><link>https://securitylab.github.com/research/anatomy-of-a-coffee-bean-wireless-vulnerabilities-in-linux-kernel</link><guid isPermaLink="false">https://securitylab.github.com/research/anatomy-of-a-coffee-bean-wireless-vulnerabilities-in-linux-kernel</guid><pubDate>Thu, 14 Nov 2019 14:00:00 GMT</pubDate></item><item><title><![CDATA[Another libssh2 integer overflow (CVE-2019-17498)]]></title><description><![CDATA[GitHub security researcher Kevin Backhouse describes a new integer overflow vulnerability in libssh2 and explains the benefits of using variant analysis with QL when reporting a vulnerability.]]></description><link>https://securitylab.github.com/research/libssh2-integer-overflow-CVE-2019-17498</link><guid isPermaLink="false">https://securitylab.github.com/research/libssh2-integer-overflow-CVE-2019-17498</guid><pubDate>Wed, 16 Oct 2019 13:00:00 GMT</pubDate></item><item><title><![CDATA[In-Memory Data Grid Applications: Finding Common Java Deserialization Vulnerabilities with CodeQL]]></title><description><![CDATA[In-memory data grid applications often make heavy use of serialization to transfer data. Our security researchers look at Java deserialization vulnerabilities in Apache Geode, Red Hat Infinispan, Ignite, and Hazelcast.]]></description><link>https://securitylab.github.com/research/in-memory-data-grid-vulnerabilities</link><guid isPermaLink="false">https://securitylab.github.com/research/in-memory-data-grid-vulnerabilities</guid><pubDate>Thu, 05 Sep 2019 13:00:00 GMT</pubDate><enclosure url="https://securitylab.github.com/static/grid-97a9ad7e5236dfaf11f695b6c371640e.jpg" length="0" type="image/jpeg"/></item><item><title><![CDATA[VLC Vulnerabilities Discovered by the GitHub Security Research Team]]></title><description><![CDATA[GitHub Security Lab’s research team discovers 11 bugs in VLC, the popular media player. The VLC vulnerability CVE-2019-14438 could potentially allow an attacker to take control of the user’s computer.]]></description><link>https://securitylab.github.com/research/vlc-vulnerability-heap-overflow</link><guid isPermaLink="false">https://securitylab.github.com/research/vlc-vulnerability-heap-overflow</guid><pubDate>Mon, 19 Aug 2019 13:00:00 GMT</pubDate><enclosure url="https://securitylab.github.com/static/Cone-Subs-large-160aed435db19d6f96c721249ec75eef.png" length="0" type="image/png"/></item><item><title><![CDATA[U-Boot NFS RCE Vulnerabilities (CVE-2019-14192)]]></title><description><![CDATA[Semmle’s security research team discovers 13 U-Boot RCE vulnerabilities in its bootloader, which is commonly used by IoT, Kindle, and ARM ChromeOS devices.]]></description><link>https://securitylab.github.com/research/uboot-rce-nfs-vulnerability</link><guid isPermaLink="false">https://securitylab.github.com/research/uboot-rce-nfs-vulnerability</guid><pubDate>Wed, 24 Jul 2019 13:00:00 GMT</pubDate><enclosure url="https://securitylab.github.com/static/uboot-device-9d8d7e7c27a0a2941c30ae2ff4efe5a7.jpg" length="0" type="image/jpeg"/></item><item><title><![CDATA[libssh2 integer overflows and an out-of-bounds read (CVE-2019-13115)]]></title><description><![CDATA[Get a technical deep dive into some libssh2 integer overflows and an out-of-bounds read. GitHub security researcher Kevin Backhouse shows how the vulnerability can be triggered by connecting to a malicious ssh server.]]></description><link>https://securitylab.github.com/research/libssh2-integer-overflow</link><guid isPermaLink="false">https://securitylab.github.com/research/libssh2-integer-overflow</guid><pubDate>Mon, 08 Jul 2019 13:00:00 GMT</pubDate></item><item><title><![CDATA[Insecure Deserialization: Finding Java Vulnerabilities with CodeQL]]></title><description><![CDATA[Deserialization of untrusted data can lead to vulnerabilities that allow an attacker to execute arbitrary code. We can use CodeQL, the code query technology of LGTM, to find such deserialization vulnerabilities.]]></description><link>https://securitylab.github.com/research/insecure-deserialization</link><guid isPermaLink="false">https://securitylab.github.com/research/insecure-deserialization</guid><pubDate>Tue, 02 Jul 2019 13:00:00 GMT</pubDate><enclosure url="https://securitylab.github.com/static/code-bc0b5ef7c7da9f31722171c8c1b01c09.jpg" length="0" type="image/jpeg"/></item><item><title><![CDATA[Facebook Fizz integer overflow vulnerability (CVE-2019-3560)]]></title><description><![CDATA[An unauthenticated remote attacker could trigger an infinite loop in Fizz, Facebook's open source TLS library.]]></description><link>https://securitylab.github.com/research/facebook-fizz-CVE-2019-3560</link><guid isPermaLink="false">https://securitylab.github.com/research/facebook-fizz-CVE-2019-3560</guid><pubDate>Tue, 19 Mar 2019 13:00:00 GMT</pubDate><enclosure url="https://securitylab.github.com/static/FizzOverflow-21e5f16d263b46ad8d89f7e0afaa7ecd.jpg" length="0" type="image/jpeg"/></item><item><title><![CDATA[Exploiting CVE-2018-19134: Ghostscript RCE through type confusion]]></title><description><![CDATA[This post describes how I used variant analysis to develop an exploit for Ghostscript CVE-2018-19134, a type confusion vulnerability that allows arbitrary shell command execution.]]></description><link>https://securitylab.github.com/research/cve-2018-19134-ghostscript-rce</link><guid isPermaLink="false">https://securitylab.github.com/research/cve-2018-19134-ghostscript-rce</guid><pubDate>Tue, 05 Feb 2019 14:00:00 GMT</pubDate></item><item><title><![CDATA[Ghostscript type confusion: Using variant analysis to find vulnerabilities]]></title><description><![CDATA[This post describes how to perform variant analysis with CodeQL to catch missing type checking in Ghostscript, leading to the discovery of 3 new type confusion vulnerabilities (CVE-2018-19134, CVE-2018-19476, CVE-2018-19477)]]></description><link>https://securitylab.github.com/research/ghostscript-type-confusion</link><guid isPermaLink="false">https://securitylab.github.com/research/ghostscript-type-confusion</guid><pubDate>Tue, 22 Jan 2019 14:00:00 GMT</pubDate></item><item><title><![CDATA[CVE-2018-19475: Ghostscript shell command execution in SAFER mode]]></title><description><![CDATA[This post describes how I carried out variant analysis on a vulnerability found by Google Project Zero member Tavis Ormandy and ended up with a new one.]]></description><link>https://securitylab.github.com/research/ghostscript-CVE-2018-19475</link><guid isPermaLink="false">https://securitylab.github.com/research/ghostscript-CVE-2018-19475</guid><pubDate>Mon, 14 Jan 2019 14:00:00 GMT</pubDate></item><item><title><![CDATA[Apple XNU exploits: ICMP proof of concept]]></title><description><![CDATA[A few weeks ago, we disclosed 6 vulnerabilities in Apple's XNU operating system kernel. This post gives the details of our proof-of-concept exploits. It also explains how a query helped us find a path to the vulnerable code.]]></description><link>https://securitylab.github.com/research/apple-xnu-exploit-icmp-poc</link><guid isPermaLink="false">https://securitylab.github.com/research/apple-xnu-exploit-icmp-poc</guid><pubDate>Sat, 24 Nov 2018 14:00:00 GMT</pubDate></item><item><title><![CDATA[OGNL Apache Struts exploit: Weaponizing a sandbox bypass (CVE-2018-11776)]]></title><description><![CDATA[This post reviews various security measures that were implemented in Apache Struts to constrain the power of OGNL, and how to bypass them (up to version 2.5.16).]]></description><link>https://securitylab.github.com/research/ognl-apache-struts-exploit-CVE-2018-11776</link><guid isPermaLink="false">https://securitylab.github.com/research/ognl-apache-struts-exploit-CVE-2018-11776</guid><pubDate>Wed, 21 Nov 2018 14:00:00 GMT</pubDate></item><item><title><![CDATA[CVE-2018-18820: Snprintf Vulnerability in Icecast]]></title><description><![CDATA[Our automated analysis found a remote code execution vulnerability in the Icecast streaming media server.]]></description><link>https://securitylab.github.com/research/cve-2018-18820-snprintf-vulnerability-icecast</link><guid isPermaLink="false">https://securitylab.github.com/research/cve-2018-18820-snprintf-vulnerability-icecast</guid><pubDate>Thu, 01 Nov 2018 13:00:00 GMT</pubDate></item><item><title><![CDATA[CVE-2018-4259: MacOS NFS vulnerabilties lead to kernel RCE]]></title><description><![CDATA[A custom query, written for Apple's macOS operating system kernel, has found multiple stack and heap buffer overflows which are triggerable by connecting to a malicious NFS file server.]]></description><link>https://securitylab.github.com/research/cve-2018-4259-macos-nfs-vulnerability</link><guid isPermaLink="false">https://securitylab.github.com/research/cve-2018-4259-macos-nfs-vulnerability</guid><pubDate>Tue, 30 Oct 2018 13:00:00 GMT</pubDate></item><item><title><![CDATA[Kernel crash caused by out-of-bounds write in Apple's ICMP packet-handling code (CVE-2018-4407)]]></title><description><![CDATA[The networking implementation in iOS and macOS contained an out-of-bounds write, which could be triggered by sending a malicious packet to the device. No user interaction was required. This post explains how it was found using CodeQL.]]></description><link>https://securitylab.github.com/research/apple-xnu-icmp-error-CVE-2018-4407</link><guid isPermaLink="false">https://securitylab.github.com/research/apple-xnu-icmp-error-CVE-2018-4407</guid><pubDate>Tue, 30 Oct 2018 13:00:00 GMT</pubDate></item><item><title><![CDATA[Apache Struts double evaluation RCE lottery]]></title><description><![CDATA[This post takes a look at a type of RCE vulnerability in Apache Struts known as a double evaluation and explains how to find it using CodeQL.]]></description><link>https://securitylab.github.com/research/apache-struts-double-evaluation</link><guid isPermaLink="false">https://securitylab.github.com/research/apache-struts-double-evaluation</guid><pubDate>Thu, 04 Oct 2018 13:00:00 GMT</pubDate></item><item><title><![CDATA[OGNL injection in Apache Struts: Discovering exploits with taint tracking]]></title><description><![CDATA[This post gives more technical detail about general taint-tracking analysis in Apache Struts. It also provides more information on how to write queries that take the architecture of Struts into account to discover various OGNL injection issues.]]></description><link>https://securitylab.github.com/research/ognl-injection-apache-struts</link><guid isPermaLink="false">https://securitylab.github.com/research/ognl-injection-apache-struts</guid><pubDate>Mon, 24 Sep 2018 13:00:00 GMT</pubDate></item><item><title><![CDATA[CVE-2018-11776: How to find 5 RCEs in Apache Struts with CodeQL]]></title><description><![CDATA[Semmle security researcher Man Yue Mo explains how he used CodeQL's Data Flow library to discover multiple RCE vulnerabilities (CVE-2018-11776) in Apache Struts.]]></description><link>https://securitylab.github.com/research/apache-struts-CVE-2018-11776</link><guid isPermaLink="false">https://securitylab.github.com/research/apache-struts-CVE-2018-11776</guid><pubDate>Wed, 22 Aug 2018 13:00:00 GMT</pubDate></item><item><title><![CDATA[Librelp buffer overflow fix (cve-2018-1000140) - a collaboration between Adiscon and Semmle]]></title><description><![CDATA[This is a joint blog post, from Adiscon and Semmle, about the finding and fixing of CVE-2018-1000140, a security vulnerability in librelp.]]></description><link>https://securitylab.github.com/research/librelp-buffer-overflow-cve-2018-1000140</link><guid isPermaLink="false">https://securitylab.github.com/research/librelp-buffer-overflow-cve-2018-1000140</guid><pubDate>Tue, 19 Jun 2018 13:00:00 GMT</pubDate></item><item><title><![CDATA[CVE-2018-4249 & CVE-2017-13904: Remote code execution in Apple's packet mangler]]></title><description><![CDATA[The packet-mangler component of Apple's macOS operating system kernel contained a remote code execution vulnerability which could be triggered by sending a malicious network packet to the Mac over the internet. This post explains how it we found it using CodeQL.]]></description><link>https://securitylab.github.com/research/CVE-2018-4249-apple-xnu-packet-mangler</link><guid isPermaLink="false">https://securitylab.github.com/research/CVE-2018-4249-apple-xnu-packet-mangler</guid><pubDate>Fri, 01 Jun 2018 13:00:00 GMT</pubDate></item><item><title><![CDATA[Apple NFS Diskless Boot: Negative integer overflow vulnerabilities (CVE-2018-4136 & CVE-2018-4160)]]></title><description><![CDATA[TThis post explains how to use CodeQL to find calls to bcopy where the size argument might be negative.]]></description><link>https://securitylab.github.com/research/apple-xnu-nfs-boot</link><guid isPermaLink="false">https://securitylab.github.com/research/apple-xnu-nfs-boot</guid><pubDate>Thu, 26 Apr 2018 13:00:00 GMT</pubDate></item><item><title><![CDATA[Etherpad reflected file download: Vulnerability hunting with CodeQL (CVE-2018-6835)]]></title><description><![CDATA[This blog post explains how CodeQL can be used to discover so-called 'Reflected File Download' vulnerabilities in JavaScript applications. As an example, we look at CVE-2018-6835 which we recently found in the Etherpad collaborative editor.]]></description><link>https://securitylab.github.com/research/etherpad-reflected-file-download</link><guid isPermaLink="false">https://securitylab.github.com/research/etherpad-reflected-file-download</guid><pubDate>Thu, 29 Mar 2018 13:00:00 GMT</pubDate></item><item><title><![CDATA[Spring Data REST exploit (CVE-2017-8046): Finding a RCE vulnerability with CodeQL]]></title><description><![CDATA[The query language that forms the foundation of LGTM's code analysis makes it very easy to find new security vulnerabilities and variants of it. In this post we look at Spring Data REST, and how CodeQL helped making sure a remote code execution vulnerability was truly eradicated.]]></description><link>https://securitylab.github.com/research/spring-data-rest-CVE-2017-8046-ql</link><guid isPermaLink="false">https://securitylab.github.com/research/spring-data-rest-CVE-2017-8046-ql</guid><pubDate>Thu, 01 Mar 2018 14:00:00 GMT</pubDate></item><item><title><![CDATA[Android Deserialization Vulnerabilities: A Brief history]]></title><description><![CDATA[This post describes some past Android deserialization vulnerabilities that exploited C++ pointers wrapped inside Java objects. Using a single query, we can find the classes responsible for them with great precision.]]></description><link>https://securitylab.github.com/research/android-deserialization-vulnerabilities</link><guid isPermaLink="false">https://securitylab.github.com/research/android-deserialization-vulnerabilities</guid><pubDate>Fri, 02 Feb 2018 14:00:00 GMT</pubDate></item><item><title><![CDATA[Stack buffer overflow in Qualcomm MSM 4.4 - Finding bugs with CodeQL]]></title><description><![CDATA[This post describes how we can use CodeQL to find unsafe uses of copy_from_user - a C function that is used to copy data from user memory into kernel memory. When used incorrectly, it could cause a stack buffer overflow in the kernel.]]></description><link>https://securitylab.github.com/research/stack-buffer-overflow-qualcomm-msm</link><guid isPermaLink="false">https://securitylab.github.com/research/stack-buffer-overflow-qualcomm-msm</guid><pubDate>Wed, 24 Jan 2018 14:00:00 GMT</pubDate></item><item><title><![CDATA[Castor and Hessian java deserialization vulnerabilities]]></title><description><![CDATA[This post shows how to use the new TaintTracking library to easily identify unsafe deserialization vulnerabilities associated with the Castor and Hessian deserialization framework. In particular, two new vulnerabilities, CVE-2017-12633 and CVE-2017-12634 are discovered in Apache Camel.]]></description><link>https://securitylab.github.com/research/hessian-java-deserialization-castor-vulnerabilities</link><guid isPermaLink="false">https://securitylab.github.com/research/hessian-java-deserialization-castor-vulnerabilities</guid><pubDate>Wed, 17 Jan 2018 14:00:00 GMT</pubDate></item><item><title><![CDATA[XXE attack example using jBoss vulnerability (jBPM) CVE-2017-7545]]></title><description><![CDATA[This post shows how the out-of-the-box XXE query in LGTM catches an exploitable XXE vulnerability in the JBoss business process manager that is difficult to find using fuzzing or testing.]]></description><link>https://securitylab.github.com/research/xxe-attack-jboss-vulnerability</link><guid isPermaLink="false">https://securitylab.github.com/research/xxe-attack-jboss-vulnerability</guid><pubDate>Tue, 19 Dec 2017 14:00:00 GMT</pubDate></item><item><title><![CDATA[Apple's XNU Kernel: Finding a memory exposure vulnerability with CodeQL (CVE-2017-13782)]]></title><description><![CDATA[Apple's macOS XNU kernel can be tricked into leaking sensitive kernel memory. This post describes how we can use CodeQL to find such vulnerabilities in C code.]]></description><link>https://securitylab.github.com/research/apple-xnu-dtrace-CVE-2017-13782</link><guid isPermaLink="false">https://securitylab.github.com/research/apple-xnu-dtrace-CVE-2017-13782</guid><pubDate>Wed, 01 Nov 2017 13:00:00 GMT</pubDate></item><item><title><![CDATA[Restlet XXE vulnerability (CVE-2017-14949)]]></title><description><![CDATA[Unsafe parsing of user input XML data in Restlet leads to remote information disclosure by sending a malicious request to applications built using Restlet's REST API. In this post I will explain the details of the vulnerability, how it is found using CodeQL and why this type of mistake is easy to make when configuring XML parsers.]]></description><link>https://securitylab.github.com/research/restlet_xxe_vulnerability_CVE-2017-14949</link><guid isPermaLink="false">https://securitylab.github.com/research/restlet_xxe_vulnerability_CVE-2017-14949</guid><pubDate>Tue, 17 Oct 2017 13:00:00 GMT</pubDate></item><item><title><![CDATA[Swagger YAML Parser Vulnerability (CVE-2017-1000207 and CVE-2017-1000208)]]></title><description><![CDATA[Parsing YAML data from untrusted source can lead to arbitrary code execution. This post discusses a vulnerability of this type in Swagger Parser (caused by unsafe use of SnakeYaml), and shows how such vulnerabilities can be found using QL.]]></description><link>https://securitylab.github.com/research/swagger-yaml-parser-vulnerability</link><guid isPermaLink="false">https://securitylab.github.com/research/swagger-yaml-parser-vulnerability</guid><pubDate>Wed, 11 Oct 2017 13:00:00 GMT</pubDate></item><item><title><![CDATA[Restlet XML External Entity Expansion Vulnerability (CVE-2017-14868)]]></title><description><![CDATA[Unsafe parsing of user input XML data allows remote attacker arbitrary file access.]]></description><link>https://securitylab.github.com/research/restlet_xml_external_entity_expansion_CVE-2017-14868</link><guid isPermaLink="false">https://securitylab.github.com/research/restlet_xml_external_entity_expansion_CVE-2017-14868</guid><pubDate>Mon, 02 Oct 2017 13:00:00 GMT</pubDate></item><item><title><![CDATA[Spring AMQP Exploit (CVE-2017-8045): Remote Code Execution Vulnerability]]></title><description><![CDATA[Deserialization of untrusted user data caused a severe remote code execution vulnerability in Spring AMQP's implementation for handling errors. This post explains the details of the vulnerability and how we found it using our query language.]]></description><link>https://securitylab.github.com/research/spring_amqp_exploit_CVE-2017-8045</link><guid isPermaLink="false">https://securitylab.github.com/research/spring_amqp_exploit_CVE-2017-8045</guid><pubDate>Wed, 20 Sep 2017 13:00:00 GMT</pubDate></item><item><title><![CDATA[CVE-2017-9805: How CodeQL found a remote code execution vulnerability in Apache Struts]]></title><description><![CDATA[Deserialization of untrusted user data caused a remote code execution vulnerability in Apache Struts. This post explains how CodeQL, LGTM's code query technology, was used to find this vulnerability.]]></description><link>https://securitylab.github.com/research/apache-struts-vulnerability-cve-2017-9805</link><guid isPermaLink="false">https://securitylab.github.com/research/apache-struts-vulnerability-cve-2017-9805</guid><pubDate>Tue, 05 Sep 2017 13:00:00 GMT</pubDate></item></channel></rss>