Microsoft Azure DevOps Server 跨站脚本漏洞

Microsoft Azure DevOps Server is a suite of software development collaboration tools from Microsoft Corporation USA. The product includes features such as code sharing, work tracking, and software distribution. A cross-site scripting vulnerability exists in Microsoft Azure DevOps Server. The...

Security Isn’t a Four-Letter Word: How Infrastructure as Code (IaC) Amplifies DevOps Through the Inclusion of Security

Our fast-paced lives are fueled by innovative, cloud-native companies. We are able to watch our favorite programs and movies from anywhere in the world on any device. We are able to collaborate with our colleagues on an upcoming presentation, regardless of whether we’re in the office or at home...

DevOps Teams Can Prove ISO Compliance with Automation

Learn the ISO standards for security and cloud compliance as well as the automated mechanisms to ensure those standards...

AppSec Bites: Implementing DevOps? What Security Teams Need to Know. (Part 4)

DevOps practices can be difficult to implement for any business. While the overall goal is to streamline the business and join the development and operations sides of things together, the first step needs to be a strong relationship between DevOps and security teams otherwise things will typicall...

How to Keep Up With Vulnerability Management Challenges in Ephemeral Cloud Environments

This blog is part of an ongoing series sharing key takeaways from Rapid7’s 2020 Cloud Security Executive Summit. Interested in participating in the next summit on March 9? Register here! The modern perspective is that the cloud has made it much easier to have visibility of your attack surface and...

Kubestriker - A Blazing Fast Security Auditing Tool For Kubernetes

Kubestriker performs numerous in depth checks on kubernetes infra to identify the security misconfigurations and challenges that devops engineers/developers are likely to encounter when using Kubernetes, especially in production and at scale. kubestriker is Platform agnostic and works equally wel...

Anatomy of a Security Super Bowl Dynasty, Part 1: The Defense

Imperva’s Directors of Technology in the Office of the CTO, Brian Anderson and Craig Burlingame, recently conducted an informal education session titled Creating a Security Super Bowl Dynasty. In this presentation, they used examples of how teams create consistent, sustainable success in American...

Edge Redirector Cloudlet Gets Faster

Written by Maksym Novoseltsev - Senior Software Engineer, and Jeffrey Costa - Senior Product Manager, Web Performance Cloudlets Policy Manager often takes a long time to load, which is a by-product of its original design where every policy activation is an individual file. These files must be...

Rapid7 Acquires Leading Kubernetes Security Provider, Alcide

Organizations around the globe continue to embrace the flexibility, speed, and agility of the cloud. Those that have adopted it are able to accelerate innovation and deliver real value to their customers faster than ever before. However, while the cloud can bring a tremendous amount of benefits t...

Finding Results at the Intersection of Security and Engineering

As vice president and head of global security at ActiveCampaign, I’m fortunate to be able to draw on a multitude of experiences and successes in my career. I started in general network security, where I was involved in pen testing and security research. I worked at several multibillion-dollar Saa...

Theonedev Onedev Injection Vulnerability (CNVD-2021-06530)

Theonedev Onedev is a JAVA-based all-in-one DevOps platform from the Theonedev team. The platform supports container build, orchestration, CI, Git management, team collaboration and other features to help developers build a simple, powerful development platform. OneDev versions prior to 4.0.3 hav...

Theonedev Onedev Information Disclosure Vulnerability

Theonedev Onedev is a JAVA-based all-in-one DevOps platform from the Theonedev team. The platform supports container build, orchestration, CI, Git management, team collaboration and other features to help developers build a simple, powerful development platform. Theonedev Onedev versions prior to...

CVE-2021-21250

OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability which may lead to arbitrary file read. When BuildSpec is provided in XML format, the spec is processed by XmlBuildSpecMigrator.migratebuildSpecString; which processes the XML document withou...

CVE-2021-21245

OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, AttachmentUploadServlet also saves user controlled data request.getInputStream to a user specified location request.getHeader"File-Name". This issue may lead to arbitrary file upload which can be used to upload a WebShell to...

CVE-2021-21242

OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability which can lead to pre-auth remote code execution. AttachmentUploadServlet deserializes untrusted data from the Attachment-Support header. This Servlet does not enforce any authentication or...

CVE-2021-21249

OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is an issue involving YAML parsing which can lead to post-auth remote code execution. In order to parse and process YAML files, OneDev uses SnakeYaml which by default when not using SafeConstructor allows the...

CVE-2021-21248

OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability involving the build endpoint parameters. InputSpec is used to define parameters of a Build spec. It does so by using dynamically generated Groovy classes. A user able to control job paramete...

CVE-2021-21248

OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability involving the build endpoint parameters. InputSpec is used to define parameters of a Build spec. It does so by using dynamically generated Groovy classes. A user able to control job paramete...

Design/Logic Flaw

OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, AttachmentUploadServlet also saves user controlled data request.getInputStream to a user specified location request.getHeader"File-Name". This issue may lead to arbitrary file upload which can be used to upload a WebShell to...

Design/Logic Flaw

OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, the REST UserResource endpoint performs a security check to make sure that only administrators can list user details. However for the /users/id endpoint there are no security checks enforced so it is possible to retrieve...