Here's a New Tool That Scans Open-Source Repositories for Malicious Packages

The Open Source Security Foundation OpenSSF has announced the initial prototype release of a new tool that's capable of carrying out dynamic analysis of all packages uploaded to popular open source repositories. Called the Package Analysis project, the initiative aims to secure open-source packag...

NPM Bug Allowed Attackers to Distribute Malware as Legitimate Packages

A "logical flaw" has been disclosed in NPM, the default package manager for the Node.js JavaScript runtime environment, that enables malicious actors to pass off rogue libraries as legitimate and trick unsuspecting developers into installing them. The supply chain threat has been dubbed "Package...

Mz Automation Libiec61850 安全漏洞

Mz Automation Libiec61850 is an open source library for the IEC 61850 protocol from Mz Automation. A security vulnerability exists in Mz Automation GmbH libiec61850 1.5.0 that originates from a specially crafted series of network requests that could result in a denial of service. An attacker can...

[Security Nation] Kate Stewart on Open-Source Projects at the Linux Foundation

!\Security Nation\ Kate Stewart on Open-Source Projects at the Linux Foundationhttps://blog.rapid7.com/content/images/2022/04/securitynationlogo.jpg In this episode of Security Nation, Jen and Tod chat with Kate Stewart, VP of Dependable Embedded Systems at the Linux Foundation, about the...

CVE-2022-22547

Simple Diagnostics Agent - versions 1.0 up to version 1.57., allows an attacker to access information which would otherwise be restricted via a random port 9000-65535. This allows information gathering which could be used exploit future open-source security exploits...

[Security Nation] Matthew Kienow on Open-Source Security and the Recog Framework

!\Security Nation\ Matthew Kienow on Open-Source Security and the Recog Frameworkhttps://blog.rapid7.com/content/images/2022/03/securitynationlogo.jpg In this episode of Security Nation, Jen and Tod chat with Matthew Kienow, Senior Software Engineer at Rapid7, about open-source security – a subje...

Keylime 安全漏洞

Keylime is an open source extensible trust system for Keylime that utilizes TPM technology. There is a security vulnerability in Keylime, no information about this vulnerability is available at this time, please stay tuned to CNNVD or the vendor's announcement...

Finding Vulnerabilities in Open Source Projects

The Open Source Security Foundation announced $10 million in funding from a pool of tech and financial companies, including $5 million from Microsoft and Google, to find vulnerabilities in open source projects: The "Alpha" side will emphasize vulnerability testing by hand in the most popular...

Open-Source Security: Getting to the Root of the Problem

The past few weeks have shown us the importance and wide reach of open-source security. In December 2021, public disclosure of the Log4Shell vulnerability in Log4j, an open-source logging library, caused a cascade of dependency analysis by developers in organizations around the world. The inciden...

S3Scanner Path Traversal Vulnerability

S3Scanner is an open source tool for finding open S3 storage buckets and dumping their contents by Dan Salmon, an individual developer in the United States. S3Scanner prior to version 2.0.2 suffers from a path traversal vulnerability that stems from a failure of a networked system or product to...

Heap-based Buffer Overflow in allinurl/goaccess

Description Good evening and Happy Turkey Day! We are truly thankful for the Open Source Security community this year. Whilst testing goaccess built from commit 9774249, we discovered a crafted log which can trigger a heap-buffer-overflow during a memcmp operation on line 1525 of /src/parser.c...

CVE-2019-1428

creationtimestamp| type| source ---|---|--- 2021-11-08 08:58:19+00:00| seen| MISP/f5030aca-7d5a-43a4-ae03-8f4ac8e85422 2024-02-11 13:41:17+00:00| seen| https://t.me/ctinow/182780...

Workshop: Visibility Into Open Source Code

Learn how to leverage Trend Micro Cloud One - Open Source Security by Snyk with your code repositories and CI/CD pipelines to scan projects. Resulting in better visibility, tracking, and early awareness into open source issues...

CVE-2020-36198

creationtimestamp| type| source ---|---|--- 2021-10-25 22:32:43+00:00| seen| MISP/63ddead6-4b82-414c-ad8e-c516b950b446...

All Vulnerabilities for exams.edu.skipatrol.ca Patched via Open Bug Bounty

Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Affected Website:| exams.edu.skipatrol.ca ---|--- Open Bug...

CVE-2020-14321

creationtimestamp| type| source ---|---|--- 2021-08-05 08:06:07+00:00| published-proof-of-concept| Telegram/BFmqOBhszqMKcQYemdeZaPAwmeKtL9VmRmeXNRw5cKm7Jg 2021-10-11 22:36:30+00:00| seen|...

5 #TrendTips for Open Source Security

You use many application development tools to create your next masterpiece, but you also need to ensure you're not bringing open source security risks into the equation. Find out how in this article...

New Google Scorecards Tool Scans Open-Source Software for More Security Risks

Google has launched an updated version of Scorecards, its automated security tool that produces a "risk score" for open source initiatives, with improved checks and capabilities to make the data generated by the utility accessible for analysis. "With so much software today relying on open-source...

Improve Your Cyber Security Posture by Combining State of the Art Security Tools

Today there are plenty of cybersecurity tools on the market. It is now more important than ever that the tools you decide to use work well together. If they don't, you will not get the complete picture, and you won't be able to analyze the entire system from a holistic perspective. This means tha...

O2OA has a file upload vulnerability

O2OA is a J2EE-based distributed architecture, integrated mobile office, smart office, support for private deployment, adaptive load capacity, can largely save the enterprise software development costs based on the AGPL open source enterprise information technology system requirements of custom...