CVE-2023-39523 ScanCode.io command injection in docker image fetch process

ScanCode.io is a server to script and automate software composition analysis with ScanPipe pipelines. Prior to version 32.5.1, the software has a possible command injection vulnerability in the docker fetch process as it allows to append malicious commands in the dockerreference parameter. In the...

CVE-2023-39523 ScanCode.io command injection in docker image fetch process

ScanCode.io is a server to script and automate software composition analysis with ScanPipe pipelines. Prior to version 32.5.1, the software has a possible command injection vulnerability in the docker fetch process as it allows to append malicious commands in the dockerreference parameter. In the...

CVE-2023-39523 ScanCode.io command injection in docker image fetch process

ScanCode.io is a server to script and automate software composition analysis with ScanPipe pipelines. Prior to version 32.5.1, the software has a possible command injection vulnerability in the docker fetch process as it allows to append malicious commands in the dockerreference parameter. In the...

PT-2023-4304 · Docker · Docker

Name of the Vulnerable Software and Affected Versions: ScanCode.io versions prior to 32.5.1 Description: The issue is related to a command injection vulnerability in the docker fetch process. This vulnerability allows malicious commands to be appended to the docker reference parameter. The docker...

ScanCode Command Injection Vulnerability

ScanCode is an open source tool for analyzing and scanning source code for open source license information and potential intellectual property issues. A command injection vulnerability exists in ScanCode.io versions prior to 32.5.1, which stems from a command injection vulnerability in the...

AiCEF - An AI-assisted cyber exercise content generation framework using named entity recognition

AiCEF is a tool implementing the accompanying framework 1 in order to harness the intelligence that is available from online resources, as well as threat groups' activities, arsenal eg. MITRE, to create relevant and timely cybersecurity exercise content. This way, we abstract the events from the...

Jenkins plugins Multiple Vulnerabilities (2022-11-15)

According to their self-reported version numbers, the version of Jenkins plugins running on the remote web server are affected by multiple vulnerabilities: - Jenkins Script Security Plugin 1189.vbab7c8fd5fde and earlier stores whole-script approvals as the SHA-1 hash of the script, making it...

Exploit for Path Traversal in Apache Http_Server

PoC exploit for CVE-2021-41773 and CVE-2021-42013, two vulnerabi...

Exploit for Missing Authentication for Critical Function in F5 Big-Ip_Access_Policy_Manager

Refresh This container emulates the vulnerable functionality o...

Exploit for CVE-2021-3129

CVE-2021-3129 Laravel RCE CVE-2021-3129 Test Environment...

Exploit for SQL Injection in Apache Log4J

CVE-2022-23305 Log4j JDBCAppender sql injection POC This is a...

A week in security (July 17 - 23)

Last week on Malwarebytes Labs: CISA: You've got two weeks to patch Citrix NetScaler vulnerability CVE-2023-3519 Estee Lauder targeted by Cl0p and BlackCat ransomware groups Google fixes "Bad.Build" Cloud Build flaw, researchers say it's not enough Accidental VirusTotal upload is a valuable...

Exploit for Code Injection in Apache Airflow

Apache Airflow official report description says: A vulnerab...

Exploit for Code Injection in Apache Airflow

Apache Airflow official report description says: A vulnerab...

Security Bulletin: IBM Sterling Global Mailbox is vulnerable to denial of service due to WebSphere Liberty Server ( CVE-2022-3509, CVE-2022-3171)

Summary A security vulnerability has been identified and addressed in WebSphere Liberty Server shipped with IBM Sterling Global Mailbox. Vulnerability Details CVEID:CVE-2022-3509 DESCRIPTION: protobuf-java core and lite are vulnerable to a denial of service, caused by a flaw in the parsing...

Security Bulletin: IBM Sterling Global Mailbox is vulnerable to sensitive data exposure due to Apache CXF (CVE-2022-46363)

Summary A security vulnerability has been identified and addressed in Apache CXF shipped with IBM Sterling Global Mailbox. Vulnerability Details CVEID:CVE-2022-46363 DESCRIPTION: Apache CXF could allow a remote attacker to obtain sensitive information, caused by a flaw when the CXFServlet is...

Information Disclosure

agpt is vulnerable to Information Disclosure. The vulnerability exists because it does not properly restrict writing to the docker-compose.yml, which allows an attacker to inject malicious custom Python code into the system the next time the docker container is run by overwriting the compose file...

Amazon Linux 2023 : docker (ALAS2023-2023-260)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2023-260 advisory. http2/hpack: avoid quadratic complexity in hpack decoding CVE-2022-41723 Tenable has extracted the preceding description block directly from the tested product security advisory. Note that Nessus has no...

Bad.Build Flaw in Google Cloud Build Raises Concerns of Privilege Escalation

Cybersecurity researchers have uncovered a privilege escalation vulnerability in Google Cloud that could enable malicious actors tamper with application images and infect users, leading to supply chain attacks. The issue, dubbed Bad.Build, is rooted in the Google Cloud Build service, according to...

Docker Hub images found to expose secrets and private keys

Numerous Docker images shared on Docker Hub are exposing sensitive data, according to a study conducted by researchers at the German university RWTH Aachen. Needless to say, this poses a significant security risk. In traditional software development, programmers code an application in one computi...