Vulnerabilities
Learn more about vulnerabilities and exploits from our dedicated security team and others.
Responsible disclosure: the impact of vulnerability disclosure on open source security
It’s a common mistake to think that once a vulnerability is found, the responsible thing would be to make it widely known as soon as possible. The truth is quite the opposite. Responsible vulnerability disclosure is a disclosure model commonly used in the cybersecurity world where 0-day vulnerabilities are first disclosed privately, thus allowing code […]
Vulnerable Gradle plugin-publish plugin reveals sensitive information
Just a few days ago, on March 27, a security vulnerability was disclosed and published — CVE-2020-7599 — on Gradle’s plugin-publish plugin. It is a vulnerability that affects all versions of the package below 0.11.0. The vulnerability was found on March 4 by Danny Thomas, Developer Productivity at Netflix, and reported to Gradle straight away. […]
Exploring the minimist prototype pollution security vulnerability
On March 11th, 2020, Snyk published a medium severity prototype pollution security vulnerability (CVE-2020-7598) affecting the minimist npm package. This is part of an ongoing research by the Snyk security research team which had previously uncovered similar vulnerabilities in other high-profile JavaScript libraries such as lodash and jQuery. The current research by the Snyk team […]
Django security tips
Lucky you, you user of the web framework for perfectionists with deadlines (AKA Django). The Django team has put a lot of thought into their security practice (find security features in their documentation and their security policy is interesting too). We have summarized some of the best tips to keep your Django project secure. Download […]
What is a backdoor? Let’s build one with Node.js
A backdoor in our code that can perform OS injection is one of the most scary scenarios ever. Currently, npm has more than 1.2M of public packages available. For the last 3 years, our dependencies have become the perfect target for cybercriminals. We saw many new attacks going live, like typosquatting attack or event-stream incident, […]
How to Detect and Remediate Kubernetes Vulnerability CVE-2019-11249
Over the past few years, Kubernetes has exploded into the tech world, becoming the most popular cloud container orchestration system. Kubernetes remains a powerful, useful open source system for developers, but like any tool needs to be used carefully and you should take steps to secure your clusters. Today we want to talk about two […]
Popular Python library, urllib3, subject to a denial of service vulnerability
Urllib3, a powerful and popular Python http client, is subject to a newly discovered denial of service vulnerability. Urllib3 is used throughout the Python ecosystem–with more than 1,200 packages listing it as a dependency including popular packages like requests, selenium, kubernetes, and more. If you have a Python project, there is a high likelihood that […]
Snyk partners with the makers of Greenkeeper to help developers proactively maintain dependency health
We’re pleased to announce the graduation of Automatic Dependency Upgrades, a Snyk Open Source capability that helps developers proactively reduce security vulnerabilities and maintain dependency health when using open source software. Automatic Dependency Upgrades is the result of an exciting new partnership between Snyk and Neighbourhoodie Software, who are the makers of Greenkeeper and developer […]
Ghostcat breach affects all Tomcat versions
Apache Tomcat is an open source implementation of the Java Servlet, JavaServer Pages, Java Expression Language, and Java WebSocket technologies. Tomcat is one of the most popular Java HTTP web server environments and was released in 1998. Ghostcat is a high severity vulnerability in Tomcat discovered by the security researchers of Chaitin Tech on January […]
Security breach leaks the personal data of all 6.5 million Israeli voters
On February 7th, 2020 I received an anonymous tip through the “leak inbox” of the Israeli CyberCyber podcast.
Node.js release fixes a critical HTTP security vulnerability
A new Node.js security release was published earlier today, 6th of February, 2020 which fixes one Critical severity and two High severity issues. This release also includes stricter HTTP parsing. According to the official release notes included in the following Node.js commit: Also, HTTP parsing is more strict to be more secure. Since this may […]