The root of the issue is that XSLTC (turns XSLT into a Java Class to be executed for better performance) does not account for that fact that the `constant_pool_count` in a Java class is only 16bits. An attacker can create an XSLT document containing too many constants, all of which will be written to the class file, but the count will be truncated to 16bits, leading to some of those constants being interpreted as part of the classfile containing things like field and method descriptions for the class.
A cool look at finding a vulnerability on a statically generated website, due to the presence of an image optimizer running as a serverless function.The Netlify IPX would normally validate image urls before fetching them to ensure the host is whitelisted (none by default), however this whitelist is skipped when it believe the URL is a local URL, meaning it does not start with `http`...
Yet another case of turning attacker data into full-blown objects automatically being a bad idea, in this case we have the Sawyer library used by Octokit turning API response into Ruby objects that is used to build Redis commands, allowing an attacker to inject arbitrary Redis commands leading to code execution with a crafted API response.
Just what can be accomplished when webhooks are allowed to access internal services, Cider Security takes a look specifically at abusing GitHub and GitLab webhooks to access internally hosted Jenkin instances.
Five vulnerabilities in Cloudflare Pages across 3 blog posts. Three vulns are command injection, one is a container escape, and one is a lack of access control.
Container escape within GitLab CI Runners abusing cgroup's `release_agent` functionality as CI jobs are allowed to mount file-systems.The `release_agent` is a script that will be executed when a cgroup heirachy becomes empty...
Two issues, one being a race condition between validating a configuration is safe and using the configuration, the second an information disclosure where a user's Net-NTLMv2 hash could be disclosed.
Great oversight spotted by the Light Spin team in Amazon Relational Database Service's (RDS) PostGre service allowing for arbitrary file reading and ultimately disclosure of internal service credentials.
Simple container escape compared to several we've covered in the past, the `sysctls` passed into the `pinns` utility are delimited by a `+` which can be maliciously included in a value to inject otherwise blocked `sysctls`. There is some minimal validation on the `sysctls` being passed in to ensure the keys don't match any sensitive keys, however an attacker can set a value to `+sensitive.key=othervalue` to smuggle in a blocked option.