Learn more about vulnerabilities and exploits from our dedicated security team and others.
It’s a common mistake to think that once a vulnerability is found, the responsible thing would be to make it widely known as soon as possible. The truth is quite the opposite. Responsible vulnerability disclosure is a disclosure model commonly used in the cybersecurity world where 0-day vulnerabilities are first disclosed privately, thus allowing code […]
Just a few days ago, on March 27, a security vulnerability was disclosed and published — CVE-2020-7599 — on Gradle’s plugin-publish plugin. It is a vulnerability that affects all versions of the package below 0.11.0. The vulnerability was found on March 4 by Danny Thomas, Developer Productivity at Netflix, and reported to Gradle straight away. […]
Lucky you, you user of the web framework for perfectionists with deadlines (AKA Django). The Django team has put a lot of thought into their security practice (find security features in their documentation and their security policy is interesting too). We have summarized some of the best tips to keep your Django project secure. Download […]
A backdoor in our code that can perform OS injection is one of the most scary scenarios ever. Currently, npm has more than 1.2M of public packages available. For the last 3 years, our dependencies have become the perfect target for cybercriminals. We saw many new attacks going live, like typosquatting attack or event-stream incident, […]
Over the past few years, Kubernetes has exploded into the tech world, becoming the most popular cloud container orchestration system. Kubernetes remains a powerful, useful open source system for developers, but like any tool needs to be used carefully and you should take steps to secure your clusters. Today we want to talk about two […]
Urllib3, a powerful and popular Python http client, is subject to a newly discovered denial of service vulnerability. Urllib3 is used throughout the Python ecosystem–with more than 1,200 packages listing it as a dependency including popular packages like requests, selenium, kubernetes, and more. If you have a Python project, there is a high likelihood that […]
Snyk partners with the makers of Greenkeeper to help developers proactively maintain dependency health
We’re pleased to announce the graduation of Automatic Dependency Upgrades, a Snyk Open Source capability that helps developers proactively reduce security vulnerabilities and maintain dependency health when using open source software. Automatic Dependency Upgrades is the result of an exciting new partnership between Snyk and Neighbourhoodie Software, who are the makers of Greenkeeper and developer […]
Apache Tomcat is an open source implementation of the Java Servlet, JavaServer Pages, Java Expression Language, and Java WebSocket technologies. Tomcat is one of the most popular Java HTTP web server environments and was released in 1998. Ghostcat is a high severity vulnerability in Tomcat discovered by the security researchers of Chaitin Tech on January […]
On February 7th, 2020 I received an anonymous tip through the “leak inbox” of the Israeli CyberCyber podcast.
A new Node.js security release was published earlier today, 6th of February, 2020 which fixes one Critical severity and two High severity issues. This release also includes stricter HTTP parsing. According to the official release notes included in the following Node.js commit: Also, HTTP parsing is more strict to be more secure. Since this may […]