Showing 1 - 12 of 21 posts
Don’t Get Too Comfortable: Hacking ComfyUI Through Custom Nodes
This research focuses on ComfyUI, a popular stable diffusion platform with over 1,300 custom node extensions available. Through real-world examples, we demonstrate how even seemingly minor vulnerabilities in custom nodes can lead to full server compromise and explore practical strategies for securing applications that rely on third-party plugin ecosystems to minimize these risks.
GitFlops: The dangers of terraform automation platforms
Terraform automation platforms streamline infrastructure management but also introduce security vulnerabilities when speculative plans are executed. Read how attackers can exploit Terraform lifecycle automation to gain unauthorized cloud access, compromising environments far beyond a single team's control. Learn about the attack vectors, including malicious provider plugins and external data sources, and discover essential mitigation strategies to safeguard your infrastructure.
Repo Jacking: The Great Source-code Swindle
In this post, we explore a powerful, yet widely unknown attack vector which has emerged in the last couple of years known as ‘Repo Jacking’. During our research, we discovered the enormous potential to compromise software components with tens of millions of downloads across the Terraform IaC (Infrastructure as Code) and Composer (PHP package registry) ecosystems.
Call for action: Exploring vulnerabilities in Github Actions
In this blog post, we will provide an overview of GitHub Actions, examine various vulnerable scenarios with real-world examples, offer clear guidance on securely using error-prone features, and introduce an open source tool designed to scan configuration files and flag potential issues.
Vulnerability: runc process.cwd and leaked fds container breakout (CVE-2024-21626)
CVE-2024-21626: Snyk has discovered an order of operations container breakout vulnerability in all versions of runc <=1.1.11, as used by the Docker engine, along with other containerization technologies such as Kubernetes.