What We Learned from Studying 36,000 OSS Projects | Press Release

blog-logo Sonatype Blog

Nexus Intelligence Insights Sonatype-2017-0312: jackson-databind, The End of the Blacklist

By Elisa Velarde on October 10, 2019 vulnerabilities
Our October Nexus Intelligence Insight takes a second look at a popular component that's both a blessing and a curse to developers - jackson-databind.
Read More...

Nexus Intelligence Insights CVE-2019-15753: OpenStack (os-vif), Denial of Service & Information Exposure

By Elisa Velarde on September 27, 2019 vulnerabilities
In this month's Nexus Intelligence Insights, we're covering CVE-2019-15753: a MAC address aging vulnerability that opens up the potential for a DoS and information exposure attack.
Read More...

Nexus Intelligence Insights: Sonatype-2018-0413, flatmap-stream's back, back again

By Elisa Velarde on August 20, 2019 vulnerabilities
In this month's Nexus Intelligence Insights, we're covering Sonatype-2018-0413: a deeper dive into flatmap-stream and malicious code injection vectors in additional components
Read More...

Nexus Intelligence Insights: CVE-2019-13354: 'strong_password' embedded malicious code, RubyGems

By Elisa Velarde on July 10, 2019 vulnerabilities
In this month's Nexus Intelligence Insights, we're covering CVE-2019-13354: strong_password, an embedded malicious code vulnerability in RubyGems.
Read More...

Nexus Intelligence Insights: CVE-2018-1109-Braces Regular expression Denial of Service (ReDoS) attack

By Elisa Velarde on June 28, 2019 vulnerabilities
In this month's Nexus Intelligence Insights, we're analyzing the mechanics of the braces regular expression denial of service attack - and what you can do to stop it.
Read More...

Nexus Intelligence Insights - CVE-2018-14721 - jackson-databind remote code execution

By Elisa Velarde on May 31, 2019 vulnerabilities
We're demystifying the jackson-databind and block polymorphic deserialization (CVE-2018-14721), which is vulnerable to Remote Code Execution.
Read More...

Nexus Intelligence Insights: CVE-2019-0232 - Apache Tomcat CGI Servlet Remote Code Execution

By Elisa Velarde on April 26, 2019 vulnerability
In this month's Nexus Intelligence Insights we discuss a very popular component used by developers worldwide. Say hello to CVE-2019-0232, a remote code execution vulnerability.
Read More...

Nexus Intelligence Insights: CVE-2014-3483 - SQL Injection in PostgreSQL adapter for Active Record against 'range' data type

By Elisa Velarde on March 29, 2019 vulnerability
In this month's Nexus Intelligence Insights we discuss an older component that is used by millions of developers. Say hello to CVE-2014-3483, a SQL injection vulnerability.
Read More...

Nexus Intelligence Insights: CVE-2014-3603 — Lack of Hostname Verification in OpenSAML

By Akshay 'Ax' Sharma on February 26, 2019 vulnerability
In this month's Nexus Intelligence Insights we discuss an older component, but one that is widely used across a variety of ecosystems, and has a vulnerability that could be catastrophic. Say hello to
Read More...