sbt: Source dependency feature (via crafted VCS URL) leads to arbitrary code execution on Windows

Summary On Windows, sbt uses Process"cmd", "/c", ... to run VCS commands git, hg, svn. The URI fragment branch, tag, revision is user-controlled via the build definition and passed to these commands without validation. Because cmd /c interprets &, |, and ; as command separators, a malicious...

Google Launches OSS Rebuild to Expose Malicious Code in Widely Used Open-Source Packages

Google has announced the launch of a new initiative called OSS Rebuild to bolster the security of the open-source package ecosystems and prevent software supply chain attacks. "As supply chain attacks continue to target widely-used dependencies, OSS Rebuild gives security teams powerful data to...

Splunk 代码问题漏洞

Splunk is a suite of data collection and analysis software from Splunk, Inc. in the United States. The software is primarily used to collect, index, and analyze data and the data it generates, including data generated by all IT systems and infrastructures physical, virtual machines, and cloud. A...