Using InsightVM to Find Apache Log4j CVE-2021-44228

There are many methods InsightVM can use to identify vulnerable software. Which method is best depends on the software and specific vulnerability in question, not to mention variability that comes into play with differing network topologies and Scan Engine deployment strategies. When it comes to ...

Doctrine Dbal SQL注入漏洞

Doctrine Dbal is a Doctrine database abstraction layer. A security vulnerability exists in Doctrine DBAL that stems from allowing SQL injection to occur if an application developer ends up using the AbstractPlatform:: modifyLimitQuery API via the proprietary user input DBAL QueryBuilder or any...

Distribute Reports to Email Addresses in InsightVM

Rapid7 is investing heavily in the reporting and dashboard capabilities of InsightVM. In 2021 alone, we launched the ability to filter dashboards via single query, a new report creation wizard powered by our query builder, several use-case-driven dashboard templates, and most recently, the abilit...

What’s New in InsightIDR: Q1 2021 in Review

Back at the start of the year, we reflected on some of our 2020 InsightIDR product investments and took a look at what was ahead in 2021 see the blog here. As the first quarter of the year comes to a close, we wanted to offer a closer look at some of the recent updates and releases in InsightIDR,...

GHSA-X7P5-P2C9-PHVG Unexpected database bindings

This is a follow-up to the previous security advisory GHSA-3p32-j457-pg5x which addresses a few additional edge cases. If a request is crafted where a field that is normally a non-array value is an array, and that input is not validated or cast to its expected type before being passed to the quer...

Query Binding Exploitation

illuminate/database is vulnerable to query binding exploitation. The vulnerability exists through the lack of control on the expected bindings in the Query Builder...

CVE-2021-21263

Laravel is a web application framework. Versions of Laravel before 6.20.11, 7.30.2 and 8.22.1 contain a query binding exploitation. This same exploit applies to the illuminate/database package which is used by Laravel. If a request is crafted where a field that is normally a non-array value is an...

Design/Logic Flaw

Laravel is a web application framework. Versions of Laravel before 6.20.11, 7.30.2 and 8.22.1 contain a query binding exploitation. This same exploit applies to the illuminate/database package which is used by Laravel. If a request is crafted where a field that is normally a non-array value is an...

How InsightVM Helps You Save Time and Prove Value

For many security teams, vulnerability risk management can feel like an endless climb. The truth is, no IT environment will ever be fully free of cyber-risk. That said, there are simple, attainable steps you can take right away to achieve an acceptable level of risk for your organization with the...

CVE-2020-6218

Admin tools and Query Builder in SAP Business Objects Business Intelligence Platform, versions 4.1, 4.2, allows an attacker to access information that should otherwise be restricted, leading to Information Disclosure...

Information disclosure

Admin tools and Query Builder in SAP Business Objects Business Intelligence Platform, versions 4.1, 4.2, allows an attacker to access information that should otherwise be restricted, leading to Information Disclosure...

Unexpected bindings in QueryBuilder

More info at https://blog.laravel.com/security-laravel-62011-7302-8221-released https://blog.laravel.com/security-laravel-62012-7303-released...

ATT&CK +osquery = Love

I had the ability to live-stream MITRE's ATT&CKcon, a two-day event where organizations came together as a community to share their best practices with leveraging the ATT&CK framework. At this conference, Scott Lundgren, Chief Architect at Carbon Black ,presented “ATT&CK + osquery = Love,” where ...

Failure to sanitize quotes which can lead to sql injection

Overview All versions of squel are vulnerable to sql injection. The squel package does not properly escape user provided input when provided using the setFields method. This could lead to sql injection if the query was then executed. Proof of concept demonstrating the injection of a single quote...

Announcing the new log search UI for Logentries

We are excited to announce the upcoming release of our brand new log search functionality. This contains a number of new features and a lot of improvements to the user experience. Among some of the new features is a brand new query builder, the ability to change which logs should be in a log set,...

[SECURITY] Fedora 21 Update: drupal7-views-3.11-1.fc21

The views module provides a flexible method for Drupal site designers to control how lists of content nodes are presented. Traditionally, Drupal has hard-coded most of this, particularly in how taxonomy and tracker lists are formatted. This tool is essentially a smart query builder that, given...

[SECURITY] Fedora 20 Update: drupal7-views-3.11-1.fc20

The views module provides a flexible method for Drupal site designers to control how lists of content nodes are presented. Traditionally, Drupal has hard-coded most of this, particularly in how taxonomy and tracker lists are formatted. This tool is essentially a smart query builder that, given...

[SECURITY] Fedora 21 Update: drupal7-views-3.10-1.fc21

The views module provides a flexible method for Drupal site designers to control how lists of content nodes are presented. Traditionally, Drupal has hard-coded most of this, particularly in how taxonomy and tracker lists are formatted. This tool is essentially a smart query builder that, given...

[SECURITY] Fedora 20 Update: drupal6-views-2.18-1.fc20

The views module provides a flexible method for Drupal site designers to control how lists of content nodes are presented. Traditionally, Drupal has hard-coded most of this, particularly in how taxonomy and tracker lists are formatted. This tool is essentially a smart query builder that, given...

[SECURITY] Fedora 21 Update: drupal6-views-2.18-1.fc21

The views module provides a flexible method for Drupal site designers to control how lists of content nodes are presented. Traditionally, Drupal has hard-coded most of this, particularly in how taxonomy and tracker lists are formatted. This tool is essentially a smart query builder that, given...