Microsoft open sources CodeQL queries used to hunt for Solorigate activity

A key aspect of the Solorigate attack is the supply chain compromise that allowed the attacker to modify binaries in SolarWinds’ Orion product. These modified binaries were distributed via previously legitimate update channels and allowed the attacker to remotely perform malicious activities, suc...

Microsoft open sources CodeQL queries used to hunt for Solorigate activity

A key aspect of the Solorigate attack is the supply chain compromise that allowed the attacker to modify binaries in SolarWinds’ Orion product. These modified binaries were distributed via previously legitimate update channels and allowed the attacker to remotely perform malicious activities, suc...

[SECURITY] Fedora 32 Update: radare2-5.1.1-1.fc32

The radare2 is a reverse-engineering framework that is multi-architecture, multi-platform, and highly scriptable. Radare2 provides a hexadecimal editor, wrapped I/O, file system support, debugger support, diffing between two functions or binaries, and code analysis at opcode, basic block, and...

Horusec - An Open Source Tool That Improves Identification Of Vulnerabilities In Your Project With Just One Command

Horusec is an open source tool that performs static code analysis to identify security flaws during the development process. Currently, the languages for analysis are: C, Java, Kotlin, Python, Ruby, Golang, Terraform, Javascript, Typescript, Kubernetes, PHP, C, HTML, JSON, Dart. The tool has...

llvm-toolset:rhel8 bug fix and enhancement update

LLVM Toolset provides the LLVM compiler infrastructure framework, the Clang compiler for the C and C++ languages, the LLDB debugger, and related tools for code analysis. For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section...

Opera Receives DevSecOps All-Star Award at SnykCon 2020

News Opera Receives DevSecOps All-Star Award at SnykCon 2020 Share October 28th, 2020 AtSnykCon 2020, Opera received the DevSecOps All-Star Award for leveraging Snyk to bring a complete and fully automated DevSecOps process into a secure software development lifecycle. Opera was represented by...

Kube-Score - Kubernetes Object Analysis With Recommendations For Improved Reliability And Security

kube-score is a tool that performs static code analysis of your Kubernetes object definitions. The output is a list of recommendations of what you can improve to make your application more secure and resilient. You can test kube-score out in the browser with the online demo source. Installation...

CVE-2020-11986

The CVE-2020-11986 issue affects Apache NetBeans up to 12.0. Opening a Gradle project causes the build script to run at load time, potentially enabling remote attackers to execute code without user consent. The Arch Linux advisory confirms a remote arbitrary code execution vulnerability and direc...

[SECURITY] Fedora 32 Update: radare2-4.5.0-2.fc32

The radare2 is a reverse-engineering framework that is multi-architecture, multi-platform, and highly scriptable. Radare2 provides a hexadecimal editor, wrapped I/O, file system support, debugger support, diffing between two functions or binaries, and code analysis at opcode, basic block, and...

[SECURITY] Fedora 31 Update: radare2-4.5.0-1.fc31

The radare2 is a reverse-engineering framework that is multi-architecture, multi-platform, and highly scriptable. Radare2 provides a hexadecimal editor, wrapped I/O, file system support, debugger support, diffing between two functions or binaries, and code analysis at opcode, basic block, and...

October CMS Build 465 XSS / File Read / File Deletion / CSV Injection

October CMS = Build 465 Multiple Vulnerabilities Author - Sivanesh Ashok | @sivaneshashok | stazot.com Date : 2020-03-31 Vendor : https://octobercms.com/ Version : = Build 465 Tested on : Build 465 CVE : CVE-2020-5295, CVE-2020-5296, CVE-2020-5297, CVE-2020-5298, CVE-2020-5299, CVE-2020-11083 Las...

HawkScan - Security Tool For Reconnaissance And Information Gathering On A Website

Security Tool for Reconnaissance and Information Gathering on a website. python 2.x & 3.x This script use "WafW00f" to detect the WAF in the first step https://github.com/EnableSecurity/wafw00f This script use "Sublist3r" to scan subdomains https://github.com/aboul3la/Sublist3r This script use...

OSV-2020-232 Heap-buffer-overflow in BEInt<unsigned short, 2>::operator unsigned short

OSS-Fuzz report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20021 Crash type: Heap-buffer-overflow READ 2 Crash state: BEInt::operator unsigned short OT::IntType::operator unsigned int OT::ArrayOf...

HackerOne: Near to Infinite loop when changing Group's name that has API token as Team Member

Summary: The https://hackerone.com contains an iteration or loop with an exit condition that is near to infinite loop. If the loop can be influenced by an attacker, this weakness could allow attackers to consume excessive resources such as CPU or memory and even a DoS attack. Description: Hello...

Exploit for Use After Free in Embedthis Goahead

CVE-2019-5096: Use After Free DoS Exploit python TriggerD...

[SECURITY] Fedora 31 Update: radare2-4.2.1-2.fc31

The radare2 is a reverse-engineering framework that is multi-architecture, multi-platform, and highly scriptable. Radare2 provides a hexadecimal editor, wrapped I/O, file system support, debugger support, diffing between two functions or binaries, and code analysis at opcode, basic block, and...

[SECURITY] Fedora 30 Update: radare2-4.2.1-2.fc30

The radare2 is a reverse-engineering framework that is multi-architecture, multi-platform, and highly scriptable. Radare2 provides a hexadecimal editor, wrapped I/O, file system support, debugger support, diffing between two functions or binaries, and code analysis at opcode, basic block, and...

Fedora: Security Advisory for radare2 (FEDORA-2020-4a3ff78ba5)

The remote host is missing an update for the Copyright C 2020 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can...

ApplicationInspector - A Source Code Analyzer Built For Surfacing Features Of Interest And Other Characteristics To Answer The Question 'What'S In It' Using Static Analysis With A Json Based Rules Engine

Microsoft Application Inspector is a software source code analysis tool that helps identify and surface well-known features and other interesting characteristics of source code to aid in determining what the software is or what it does. Application Inspector is different from traditional static...

How to Fine-Tune Static Code Analysis - Part 1

Before integrating SAST into your SDLC you want to make sure that your code analysis produces only relevant findings with the best performance possible. In the first part of this guide, we will cover the following 5 configuration options and best practices for fine-tuning: Set the Language Versio...