Lucee RCE/XXE Vulnerability

Impact The Lucee team received a responsible disclosure of a security vulnerability which affects all previous releases of Lucee. After reviewing the report and confirming the vulnerability, the Lucee team then conducted a further security review and found additional vulnerabilities which have be...

Agent 007: Pre-Auth Takeover of Build Pipelines in GoCD

GoCD, written in Java, is a popular CI/CD solution with a large range of users from NGOs to Fortune 500 companies with billions of dollars in revenue. Naturally, this makes it a critical piece of infrastructure and an extremely attractive target for attackers. In order to automate build and relea...

Potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore

There is potentially unexpected behaviour in the MemCacheStore and RedisCacheStore where, when untrusted user input is written to the cache store using the raw: true parameter, re-reading the result from the cache can evaluate the user input as a Marshalled object instead of plain text. Vulnerabl...

Apache Struts multiple security vulnerabilities

Few ClassLoader manipulation vulnerabilities with potential RCE impact...

[ANN][SECURITY] Struts 1 - CVE-2014-0114 -Mitigation Advice Available, Possible RCE Impact

As confirmed in our last announcement, the Apache Struts 1 framework in all versions is affected by a ClassLoader manipulation vulnerability CVE-2014-0114 similar to a recently fixed vulnerability in Struts 2 CVE-2014-0112, CVE-2014-0094 1. Thanks to the efforts of Alvaro Munoz and the HP Fortify...