Vulnerabilities

Learn more about vulnerabilities and exploits from our dedicated security team and others.

.NET open source security insights

Welcome to our new security report: .NET open source security insights. This report is split into three posts: .NET open source security insights Unique to the .NET ecosystem, 75% of the top twenty vulnerabilities have a high severity rating Remote code execution, cross-site scripting, and denial of service vulnerabilities account for 2/3 of known vulnerabilities […]

July 25, 2019

Concerns of supply-chain attacks amplify as remote code execution was found in Ruby gem strong_password

On July 5th, 2019, the CVE-2019-13354 security advisory was published for a malicious version of the strong_password Ruby gem which allows for remote code execution in applications bundling the vulnerable dependency. We have already added the vulnerability to our database, and if your Ruby project is being monitored by Snyk, you will have already been […]

July 6, 2019

Snyk research team discovers severe prototype pollution security vulnerabilities affecting all versions of lodash

On July 2nd, 2019, Snyk published a high severity prototype pollution security vulnerability (CVE-2019-10744) affecting all versions of lodash, as the result of an on-going analysis lead by the Snyk security research team. UPDATE: lodash published version 4.17.12 on July 9th which includes Snyk fixes and remediates the vulnerability. We strongly recommend you update to […]

July 4, 2019

Yet another malicious package found in npm, targeting cryptocurrency wallets

Cryptocurrency wallet developer Komodo has been in the news recently as the most recent victim of an attempted cryptocurrency attack by malicious code injection via npm dependencies. The EasyDEX-GUI project which provides a graphical user interface (GUI) to SuperNET/Iguana cryptocurrency APIs and is used by Komodo’s Agama wallet has been found to contain a malicious […]

June 17, 2019

A Denial of Service vulnerability discovered in the Axios JavaScript package – affecting all versions of the popular HTTP client

Affected versions of axios are vulnerable to Denial of Service (DoS) because content continues to be processed from requests even after maxContentLength is exceeded, causing increased I/O and CPU usage.

May 6, 2019

After three years of silence, a new jQuery prototype pollution vulnerability emerges once again

On March 26th, 2019, almost three years after the last jQuery security vulnerability was disclosed, we recently learned about a new security vulnerability affecting the same popular jQuery frontend library. This security vulnerability referred to and manifests as prototype pollution, enables attackers to overwrite a JavaScript application object prototype. When that happens, properties that are […]

April 15, 2019

Malicious remote code execution backdoor discovered in the popular bootstrap-sass Ruby gem

On March 26, 2019, a malicious version of the popular bootstrap-sass package, that has been downloaded a total of 28 million times to date, was published to the official RubyGems repository. Version 3.2.0.3 includes a stealthy backdoor that gives attackers remote command execution on server-side Rails applications. We have already added the vulnerability to our […]

April 3, 2019

A serious security flaw in runC can result in root privilege escalation in Docker and Kubernetes

A security flaw discovered by Adam Iwaniuk and Borys Popławski and found in open source software runC was disclosed on February 11th, 2019 and described in CVE-2019-5736. The vulnerability, affecting several container engines such as Docker and Kubernetes, is found in a key component of container engines and allows containers to break out of their […]

February 13, 2019

NumPy Arbitrary Code Execution Vulnerability

A recently discovered vulnerability in NumPy, the widely used open source package for scientific computing in Python, allows for the execution of arbitrary, potentially malicious code. NumPy NumPy is part of the SciPy ecosystem, which is a collection of open source software packages for mathematics, science, and engineering. NumPy is used in both industry and […]

February 4, 2019

Severe Security Vulnerability in Bower’s Zip Archive Extraction

Earlier this month it was found that Bower, a popular web package manager, is vulnerable to archive extractions and currently, we can associate two security incidents with it, for which follow-up releases to address them are available: Arbitrary file writes with potential remote command injection, which was fixed in Bower 1.8.6, resulted from the Zip […]

January 31, 2019

Critical Arbitrary Code Execution Vulnerability Found in Kubernetes

On December 3rd 2018, a severe vulnerability was disclosed to the kubernetes community, which marks the first critical CVE found on the kubernetes project (based on a CVSS v3 score). Patched versions were released and made available for end users and cloud providers. Make sure you upgrade to a fixed version, if you haven’t done […]

December 20, 2018