Learn more about vulnerabilities and exploits from our dedicated security team and others.
Welcome to our new security report: .NET open source security insights. This report is split into three posts: .NET open source security insights Unique to the .NET ecosystem, 75% of the top twenty vulnerabilities have a high severity rating Remote code execution, cross-site scripting, and denial of service vulnerabilities account for 2/3 of known vulnerabilities […]
Concerns of supply-chain attacks amplify as remote code execution was found in Ruby gem strong_password
On July 5th, 2019, the CVE-2019-13354 security advisory was published for a malicious version of the strong_password Ruby gem which allows for remote code execution in applications bundling the vulnerable dependency. We have already added the vulnerability to our database, and if your Ruby project is being monitored by Snyk, you will have already been […]
Snyk research team discovers severe prototype pollution security vulnerabilities affecting all versions of lodash
On July 2nd, 2019, Snyk published a high severity prototype pollution security vulnerability (CVE-2019-10744) affecting all versions of lodash, as the result of an on-going analysis lead by the Snyk security research team. UPDATE: lodash published version 4.17.12 on July 9th which includes Snyk fixes and remediates the vulnerability. We strongly recommend you update to […]
Cryptocurrency wallet developer Komodo has been in the news recently as the most recent victim of an attempted cryptocurrency attack by malicious code injection via npm dependencies. The EasyDEX-GUI project which provides a graphical user interface (GUI) to SuperNET/Iguana cryptocurrency APIs and is used by Komodo’s Agama wallet has been found to contain a malicious […]
Affected versions of axios are vulnerable to Denial of Service (DoS) because content continues to be processed from requests even after
maxContentLength is exceeded, causing increased I/O and CPU usage.
On March 26, 2019, a malicious version of the popular bootstrap-sass package, that has been downloaded a total of 28 million times to date, was published to the official RubyGems repository. Version 18.104.22.168 includes a stealthy backdoor that gives attackers remote command execution on server-side Rails applications. We have already added the vulnerability to our […]
A security flaw discovered by Adam Iwaniuk and Borys Popławski and found in open source software runC was disclosed on February 11th, 2019 and described in CVE-2019-5736. The vulnerability, affecting several container engines such as Docker and Kubernetes, is found in a key component of container engines and allows containers to break out of their […]
A recently discovered vulnerability in NumPy, the widely used open source package for scientific computing in Python, allows for the execution of arbitrary, potentially malicious code. NumPy NumPy is part of the SciPy ecosystem, which is a collection of open source software packages for mathematics, science, and engineering. NumPy is used in both industry and […]
Earlier this month it was found that Bower, a popular web package manager, is vulnerable to archive extractions and currently, we can associate two security incidents with it, for which follow-up releases to address them are available: Arbitrary file writes with potential remote command injection, which was fixed in Bower 1.8.6, resulted from the Zip […]
On December 3rd 2018, a severe vulnerability was disclosed to the kubernetes community, which marks the first critical CVE found on the kubernetes project (based on a CVSS v3 score). Patched versions were released and made available for end users and cloud providers. Make sure you upgrade to a fixed version, if you haven’t done […]