S3C2 Summit 2025-07: Government Secure Supply Chain Summit

Software supply chains, while providing immense economic and software development value, are only as strong as their weakest link. Over the past several years, there has been an exponential increase in cyberattacks specifically targeting vulnerable links in critical software supply chains. The...

Security Notice: Impact of CVE-2026-33634 on ownCloud Build Infrastructure - ownCloud

No customer data was compromised. No source code was altered. The attack affected our build infrastructure only – specifically the systems that produce container images and client binaries. If you are using a build before March 19th, no action is needed If you are using ocis-rolling image conta...

CVE-2025-15612 Wazuh Provisioning Scripts / Build Infrastructure Improper Certificate Validation leading to MITM and RCE

Wazuh provisioning scripts and Dockerfiles contain an insecure transport vulnerability where curl is invoked with the -k/--insecure flag, disabling SSL/TLS certificate validation. Attackers with network access can perform man-in-the-middle attacks to intercept and modify downloaded dependencies o...

CVE-2025-15612 Wazuh Provisioning Scripts / Build Infrastructure Improper Certificate Validation leading to MITM and RCE

Wazuh provisioning scripts and Dockerfiles contain an insecure transport vulnerability where curl is invoked with the -k/--insecure flag, disabling SSL/TLS certificate validation. Attackers with network access can perform man-in-the-middle attacks to intercept and modify downloaded dependencies o...

Establishing a Baseline of Software Supply Chain Security Task Adoption by Software Organizations

Software supply chain attacks have increased exponentially since 2020. The primary attack vectors for supply chain attacks are through: 1 software components; 2 the build infrastructure; and 3 humans a.k.a software practitioners. Software supply chain risk management frameworks provide a list of...

Intel Consolidated Build Infrastructure 安全漏洞

Intel Consolidated Build Infrastructure is a comprehensive build infrastructure from Intel Corporation USA. A security vulnerability previously existed in Intel Consolidated Build Infrastructure version 2.1.10300, which stemmed from an improper access control issue. It could allow authenticated...

CVE-2022-39206 CI/CD Docker Escape in OneDev

Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. When using Docker-based job executors, the Docker socket e.g. /var/run/docker.sock on Linux is mounted into each Docker step. Users that can define and trigger CI/CD jobs on a project could use this to control the Docker daem...

Hackers Planted Backdoor in Webmin, Popular Utility for Linux/Unix Servers

Following the public disclosure of a critical zero-day vulnerability in Webmin last week, the project's maintainers today revealed that the flaw was not actually the result of a coding mistake made by the programmers. Instead, it was secretly planted by an unknown hacker who successfully managed ...