Sonatype Delivers Premium Open Source Controls to GitHub | Press Release

blog-logo Sonatype Blog

Nexus Intelligence Insights: CVE-2019-3773 Spring Web Services XML External Entity Injection (XXE)

By Akshay 'Ax' Sharma on March 18, 2020 vulnerabilities
This Nexus Intelligence Insight covers CVE-2019-3773: cross site scripting vulnerabilities in Spring Web Services XML External Entity Injection (XXE).
Read More...

Nexus Intelligence Insights: What's in a Ghostcat? CVE-2020-1938 Apache Tomcat - Local File Inclusion Potentially Leads to RCE

By Akshay 'Ax' Sharma on March 09, 2020 vulnerabilities
Ghostcat manipulates the widely used Apache Tomcat web server. No version of Tomcat released in the last 13 years is immune, unless properly patched.
Read More...

Nexus Intelligence Insights CVE-2020-2100: Jenkins - UDP Amplification Reflection Attack Leading to Distributed Denial of Service (DDoS)

By Akshay 'Ax' Sharma on February 12, 2020 vulnerabilities
CVE-2020-2100 takes advantage of the fact that, by default, both UDP multicast/broadcast and DNS multicast traffic is enabled on Jenkins. Here's what to do.
Read More...

Nexus Intelligence Insights: Sonatype-2020-0003 - npm malicious package 1337qq-js

By Elisa Velarde on January 15, 2020 vulnerabilities
In this month's Nexus Intelligence Insights, we cover Sonatype-2020-0003: npm malicious package 1337qq-js. Here's why it made noise but had no impact.
Read More...

Nexus Intelligence Insights: CVE-2018-5382 Bouncycastle Information Exposure

By Elisa Velarde on December 26, 2019 vulnerabilities
In this month's Nexus Intelligence Insights, we're covering CVE-2018-5382: Information exposure in the bouncycastle component
Read More...

Nexus Intelligence Insights: CVE-2018-16487 Lodash RCE + 'prototype' pollution

By Elisa Velarde on November 27, 2019 vulnerabilities
In this month's Nexus Intelligence Insights, we're covering CVE-2018-16487: remote code execution and 'prototype' pollution in Lodash and how to protect against a hack of this vulnerable vector.
Read More...

Nexus Intelligence Insights Sonatype-2017-0312: jackson-databind, The End of the Blacklist

By Elisa Velarde on October 10, 2019 vulnerabilities
Our October Nexus Intelligence Insight takes a second look at a popular component that's both a blessing and a curse to developers - jackson-databind.
Read More...

Nexus Intelligence Insights CVE-2019-15753: OpenStack (os-vif), Denial of Service & Information Exposure

By Elisa Velarde on September 27, 2019 vulnerabilities
In this month's Nexus Intelligence Insights, we're covering CVE-2019-15753: a MAC address aging vulnerability that opens up the potential for a DoS and information exposure attack.
Read More...

Nexus Intelligence Insights: Sonatype-2018-0413, flatmap-stream's back, back again

By Elisa Velarde on August 20, 2019 vulnerabilities
In this month's Nexus Intelligence Insights, we're covering Sonatype-2018-0413: a deeper dive into flatmap-stream and malicious code injection vectors in additional components
Read More...