Application Security

NotLegit: 4-year old Microsoft Azure App Service 0-day vulnerability affects source code repositories

Application Security, Cybersecurity Attacks, Vulnerabilities & Exploits / By Frank Crast / December 29, 2021 December 29, 2021

A four-year old Microsoft Azure App Service 0-day vulnerability dubbed “NotLegit” affects hundreds of source code repositories.

Tags: 0-day, App Service, Azure, GitHub, IIS, Local Git, Microsoft, Node, PHP, Python, Ruby, Windows

Researchers discover Critical RCE 0-day “Log4Shell” vulnerability (CVE-2021-44228) in Apache Log4j logging utility (update)

Application Security, Security Updates & Patches, System Hardening, Third-Party Security, Vulnerabilities & Exploits / By Frank Crast / December 15, 2021 December 30, 2021

Researchers have discovered a Critical 0-day vulnerability (CVE-2021-44228) in Apache Log4j logging utility that can result in remote code execution (RCE). In addition, CISA and Microsoft also issue new guidance for log4j vulnerability remediation.

Tags: Apache, CVE-2021-44228, GitHub, LDAP, Log4j, log4Shell

GitHub fixes 2 npm registry vulnerabilities

Application Security, Security Updates & Patches, Vulnerabilities & Exploits / By Frank Crast / November 20, 2021 November 20, 2021

GitHub has fixed two node package manager (npm) registry vulnerabilities, one of those could allow an attacker to publish new versions of an npm package without proper authorization.

Tags: 2FA, GitHub, JavaScript, NPM, registry

GoCD patches ‘Highly Critical’ authentication vulnerability

Application Security, Security Updates & Patches, Vulnerabilities & Exploits / By Frank Crast / October 29, 2021 October 29, 2021

GoCD has patched a Critical authentication vulnerability in its GoCD CI/CD tool.

Tags: CI/CD, CICD, developer, GoCD, SDLC, Software

Embedded malware discovered in NPM package ua-parser-js

Application Security, Malware, Security Updates & Patches, Third-Party Security, Vulnerabilities & Exploits / By Frank Crast / October 27, 2021 October 27, 2021

Embedded malware has been discovered in an NPM package ua-parser-js, a popular JavaScript library designed to detect browser, engine, OS, CPU, and device type/model from User-Agent data.

Tags: JavaScript, malware, NPM, ua-parser-js, User-Agent

Malicious PyPI software packages found stealing payment card numbers and injecting code

Application Security, Malware, Vulnerabilities & Exploits / By Frank Crast / August 5, 2021 August 5, 2021

Security researchers have discovered malicious software packages from Python’s official third party software package repository PyPl stealing payment card numbers and injecting code.

Tags: JFrog, noblesse, PyPl, Python, SDLC, ShadowHammer, Supply Chain

Attackers could have taken over an Atlassian account via one-click exploit

Application Security, Third-Party Security, Vulnerabilities & Exploits / By Frank Crast / June 24, 2021 June 24, 2021

Cybersecurity researchers have discovered a series of chained Atlassian vulnerabilities that could have allowed an attacker to take over an Atlassian account connected via SSO and control Atlassian applications.

Tags: Atlassian, Check Point, Confluence, CPR, CSRF, JavaScript, Jira, SSO, XSS