Checkmarx is a Leader in the 2021 Gartner Magic Quadrant for Application Security Testing

Tag: Remote Code Execution Vulnerabilities

The 0xDABB of Doom: CVE-2021-25641

Introduction When I previously wrote the original Dubbo publication, we disclosed that issue as it was mitigated by the vendor. While the Dubbo “HTTP” protocol in that disclosure was trivially vulnerable to the most common Java deserialization attacks (as evidenced by the immediate cropping up of exploits for Dubbo as soon as a very broad

Read More ›

Apache Unomi CVE-2020-13942: RCE Vulnerabilities Discovered

“Apache Unomi is a Java Open Source customer data platform, a Java server designed to manage customers, leads and visitors’ data and help personalize customers experiences,” according to its website. Unomi can be used to integrate personalization and profile management within very different systems such as CMSs, CRMs, Issue Trackers, native mobile applications, etc. Unomi

Read More ›

Checkmarx Research: Apache Dubbo 2.7.3 – Unauthenticated RCE via Deserialization of Untrusted Data (CVE-2019-17564)

Executive Summary Having developed a high level of interest in serialization attacks in recent years, I’ve decided to put some effort into researching Apache Dubbo some months back. Dubbo, I’ve learned, deserializes many things in many ways, and whose usage world-wide has grown significantly after its adoption by the Apache Foundation. Figure 1 – Dubbo

Read More ›

Apache Struts, RCEs, and the Equifax Breach Anniversary

Apache Struts, RCEs, and the Equifax Breach Anniversary

We just passed the one-year anniversary of Equifax’s announcement of their massive data breach due to an exploit of an Apache Struts vulnerability (CVE-2017-5638) – and incidentally, at nearly the same time that Apache announced another critical Apache Struts security flaw (). The latest Apache Struts vulnerability, CVE-2018-11776, was published in NVD on August 22,

Read More ›

Jump to Category