Blacklist approach JDB

Nexus Intelligence Insights Sonatype-2017-0312: jackson-databind, The End of the Blacklist

For our October Nexus Intelligence Insight we will return to a very popular component that has been both a blessing and a curse to developers around the world. We’ll cover a fundamental change to a default setting and how that change in ‘type’ may impact the security of your next ... Read More

Nexus Intelligence Insights CVE-2019-15753: OpenStack (os-vif), Denial of Service & Information Exposure

Our news feeds are filled with reports of malicious attacks on open source code at the project source, most of which are bad actors leveraging code bases for their own gain. While we're taking this growing issue, more seriously than anyone else, we're also not taking our eye off the ... Read More

Nexus Intelligence Insights: Sonatype-2018-0413, flatmap-stream’s back, back again

Thought you cleaned up your malicious flatmap-stream code? Check again. You may have thought you'd read everything there was to read about flatmap-stream and as a result, fixed the offending component once and for all. However, after a deeper inspection of embedded components potentially still in use, the Sonatype Data ... Read More

Nexus Intelligence Insights: CVE-2019-13354: ‘strong_password’ embedded malicious code, RubyGems

We typically don’t follow one monthly Nexus Intelligence Insights post on the heels of another, but July’s vulnerability is time sensitive so we didn’t want to delay getting the next edition out for everyone to read ... Read More