Detecting Privilege Escalation in Polyglot Microservices Via Agentic Program Analysis

Microservices are widely adopted in modern cloud systems due to their scalability and fault tolerance. However, microservice architectures introduce significant complexity in privilege and permission control, creating risks of privilege escalation where attackers can gain unauthorized access to...

EUVD-2017-6834

Malware in sbrugna...

EUVD-2022-52771

Malicious code in bioql PyPI...

EUVD-2021-30703

Malicious code in bioql PyPI...

MT4DP: Data Poisoning Attack Detection for DL-Based Code Search Models Via Metamorphic Testing

Recently, several studies have indicated that data poisoning attacks pose a severe security threat to deep learning-based DL-based code search models. Attackers inject carefully crafted malicious patterns into the training data, misleading the code search model to learn these patterns during...

USN-7563-1: .NET vulnerability

It was discovered that .NET did not properly validate search path in Microsoft.NETCore.App.Runtime. An attacker could possibly use this issue to execute arbitrary code...

CVE-2021-32787

Sourcegraph is a code search and navigation engine. Sourcegraph before version 3.30.0 has two potential information leaks. The site-admin area can be accessed by regular users and all information and features are properly protected except for daily usage statistics and code intelligence uploads a...

Gato - GitHub Self-Hosted Runner Enumeration And Attack Tool

Gato, or GitHub Attack Toolkit, is an enumeration and attack tool that allows both blue teamers and offensive security practitioners to evaluate the blast radius of a compromised personal access token within a GitHub organization. The tool also allows searching for and thoroughly enumerating publ...

Authorization

Sourcegraph is an opensource code search and navigation engine. In Sourcegraph versions before 3.41.0, it is possible for an attacker to delete other users’ saved searches due to a bug in the authorization check. The vulnerability does not allow the reading of other users’ saved searches, only...

CVE-2022-31155

Sourcegraph includes an authorization bug that, in versions before 3.41.0, allows an attacker to overwrite (delete) other users’ saved searches with attacker-controlled data. The vulnerability does not enable reading of others’ saved searches. The issue is mitigated by upgrading to Sourcegraph 3....

GHSA-95XQ-V4M2-FQ3R GitLab Grit Gem for Ruby contains a flaw allowing arbitrary commands to be executed

The Grit gem for Ruby, as used in GitLab 5.2 before 5.4.1 and 6.x before 6.2.3, allows remote authenticated users to execute arbitrary commands, as demonstrated by the search box for the GitLab code search feature. GitLab Grit Gem for Ruby contains a flaw in the app/contexts/searchcontext.rb...

GitLab Grit Gem for Ruby contains a flaw allowing arbitrary commands to be executed

The Grit gem for Ruby, as used in GitLab 5.2 before 5.4.1 and 6.x before 6.2.3, allows remote authenticated users to execute arbitrary commands, as demonstrated by the search box for the GitLab code search feature. GitLab Grit Gem for Ruby contains a flaw in the app/contexts/searchcontext.rb...

CVE-2022-29171 Remote Code Execution in sourcegraph

Sourcegraph is a fast and featureful code search and navigation engine. Versions before 3.38.0 are vulnerable to Remote Code Execution in the gitserver service. The Gitolite code host integration with Phabricator allows Sourcegraph site admins to specify a callsignCommand, which is used to obtain...

Sourcegraph code injection vulnerability

Sourcegraph is an open source code search and navigation tool from Sourcegraph, Inc. Sourcegraph is vulnerable to a code injection vulnerability that could be exploited by attackers to cause remote code execution...

CVE-2022-23642

Sourcegraph prior to 3.37 is vulnerable to remote code execution in the gitserver service due to insufficient restriction on git config execution. The issue arises when an attacker who can access internal gitserver HTTP endpoints can set the git core.sshCommand option, causing git to execute arbi...

Sourcegraph 代码注入漏洞

Sourcegraph is an open source code search and navigation tool from Sourcegraph, Inc. Sourcegraph is vulnerable to a code injection vulnerability that could be exploited by attackers to cause remote code execution...

CVE-2022-23643

Sourcegraph is a code search and navigation engine. Sourcegraph versions 3.35 and 3.36 reintroduced a previously fixed side-channel vulnerabilitity in the Code Monitoring feature where strings in private source code could be guessed by an authenticated but unauthorized actor. This issue affects...

Code injection

Sourcegraph is a code search and navigation engine. Sourcegraph versions 3.35 and 3.36 reintroduced a previously fixed side-channel vulnerabilitity in the Code Monitoring feature where strings in private source code could be guessed by an authenticated but unauthorized actor. This issue affects...

CVE-2021-43823

Sourcegraph before version 3.33.2 is affected by a side-channel vulnerability in the Saved Searches and Code Monitoring features. An authenticated but unauthorized actor could create many Saved Searches or Code Monitors to infer whether specific strings exist in private source code, potentially e...

CVE-2021-32787

CVE-2021-32787 affects Sourcegraph before version 3.30.0. The vulnerability exposes information in the site-admin area to regular users, leaking daily usage statistics and code intelligence uploads/indexes while not allowing alteration of other features. The root cause is improper access to site-...