Hot Topics

Elisa Velarde
Sonatype Blog

Nexus Intelligence Insights: Sonatype-2020-0003 – npm malicious package 1337qq-js

| | 1337qq-js, DevSecOps, FEATURED, malicious code npm, Nexus Intelligence Insights, npm, sonatype-2020-0003, Vulnerabilities
Happy New Year! Nexus Intelligence Insights is back with an open source component vulnerability that turns out to be not so bad after all ... Read More
Sonatype Blog

Nexus Intelligence Insights: CVE-2018-5382 Bouncycastle Information Exposure

| | bouncy castle, bouncycastle, cve-2018-5382, FEATURED, information exposure, Nexus Intelligence Insights, Vulnerabilities
For our last Nexus Intelligence Insight of 2019, we'll cover a component vulnerability discovered in a not-so-happy accident that appears far more dangerous than the researcher had previously hypothesized ... Read More
Sonatype Blog

Nexus Intelligence Insights: CVE-2018-16487 Lodash RCE + ‘prototype’ pollution

| | cve-2018-16487, FEATURED, lodash, Nexus Intelligence Insights, Remote Code Execution, Vulnerabilities
... Read More
Sonatype Blog

Nexus Intelligence Insights Sonatype-2017-0312: jackson-databind, The End of the Blacklist

| | deserialization, FEATURED, jackson databind, Nexus Intelligence Insights, Remote Code Execution, Vulnerabilities
For our October Nexus Intelligence Insight we will return to a very popular component that has been both a blessing and a curse to developers around the world. We’ll cover a fundamental change to a default setting and how that change in ‘type’ may impact the security of your next ... Read More
Sonatype Blog

Nexus Intelligence Insights CVE-2019-15753: OpenStack (os-vif), Denial of Service & Information Exposure

| | cve-2019-15753, FEATURED, information exposure, Nexus Intelligence Insights, pypi vuln, pypi vulnerability, Vulnerabilities
Our news feeds are filled with reports of malicious attacks on open source code at the project source, most of which are bad actors leveraging code bases for their own gain. While we're taking this growing issue, more seriously than anyone else, we're also not taking our eye off the ... Read More
Sonatype Blog

Nexus Intelligence Insights: Sonatype-2018-0413, flatmap-stream’s back, back again

| | embedded malicious code, FEATURED, flatmap-stream, Nexus Intelligence Insights, Sonatype-2018-0413, Vulnerabilities
Thought you cleaned up your malicious flatmap-stream code? Check again. You may have thought you'd read everything there was to read about flatmap-stream and as a result, fixed the offending component once and for all. However, after a deeper inspection of embedded components potentially still in use, the Sonatype Data ... Read More
Sonatype Blog

Nexus Intelligence Insights: CVE-2019-13354: ‘strong_password’ embedded malicious code, RubyGems

| | cve-2019-13354, embedded malicious code, FEATURED, Nexus Intelligence Insights, Ruby Gems language, Vulnerabilities
We typically don’t follow one monthly Nexus Intelligence Insights post on the heels of another, but July’s vulnerability is time sensitive so we didn’t want to delay getting the next edition out for everyone to read ... Read More
Sonatype Blog

Nexus Intelligence Insights: CVE-2018-1109-Braces Regular expression Denial of Service (ReDoS) attack

| | cve-2018-1109, FEATURED, Nexus Intelligence Insights, regular expression dos, Vulnerabilities
... Read More
Sonatype Blog

Secure Guardrails