| CVE | Description | CVSS 3 Base score |
|---|---|---|
| CVE-2021-29505 | XStream is vulnerable to a Remote Command Execution attack. | 8.8 |
| CVE-2021-21341 | XStream can cause a Denial of Service. | 7.5 |
| CVE-2021-21342 | A Server-Side Forgery Request can be activated unmarshalling with XStream to access data streams from an arbitrary URL referencing a resource in an intranet or the local host. | 9.1 |
| CVE-2021-21343 | XStream is vulnerable to an Arbitrary File Deletion on the local host when unmarshalling as long as the executing process has sufficient rights. | 7.5 |
| CVE-2021-21344 | XStream is vulnerable to an Arbitrary Code Execution attack. | 9.8 |
| CVE-2021-21345 | XStream is vulnerable to a Remote Command Execution attack. | 9.9 |
| CVE-2021-21346 | XStream is vulnerable to an Arbitrary Code Execution attack. | 9.8 |
| CVE-2021-21347 | XStream is vulnerable to an Arbitrary Code Execution attack. | 9.8 |
prabhu prabhu
prabhu
/ git-protect.tf
Created
July 18, 2020 13:52
Protect github branches, mandate status checks with Terraform
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Protect the master branch. Enforce that ci/tests and shiftleft should pass to allow merges | |
| # Allow PR to be dismissed by sem-user and managers team | |
| resource "github_branch_protection" "protect_master" { | |
| repository = "${github_repository_name}" | |
| branch = "master" | |
| enforce_admins = true | |
| require_signed_commits = false | |
| required_status_checks { | |
| strict = false |
prabhu
/ reachables.json
Created
October 22, 2023 17:43
Reachables slice for https://github.com/pyn3rd/CVE-2023-34040
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "reachables" : [ | |
| { | |
| "flows" : [ | |
| { | |
| "id" : 44, | |
| "label" : "METHOD_PARAMETER_IN", | |
| "name" : "this", | |
| "fullName" : "", | |
| "signature" : "", |
prabhu
/ bitbucket-reusable-pipelines.yml
Created
July 26, 2020 13:56
Reusable Bitbucket pipelines configuration with YAML anchors
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| definitions: | |
| steps: | |
| - step: &build | |
| name: Build microservices jar | |
| script: | |
| - mvn package | |
| artifacts: | |
| - target/** | |
| - step: &build-react | |
| name: Build React app |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <xsl:stylesheet version="1.0" xmlns:bom="http://cyclonedx.org/schema/bom/1.1" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"> | |
| <xsl:output method="text" /> | |
| <xsl:template match="/"> | |
| <xsl:text>## Project dependencies</xsl:text> | |
| <xsl:text>

</xsl:text> | |
| <xsl:text>| Vendor | Name | Version | License Id | </xsl:text> | |
| <xsl:text>
</xsl:text> | |
| <xsl:text>| -------|------|---------|------------|</xsl:text> | |
| <xsl:text>
</xsl:text> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // git clone https://github.com/OWASP/NodeGoat | |
| // Install joern | |
| // importCode("NodeGoat") | |
| val requestPattern = | |
| "req\\.(originalUrl|path|protocol|route|secure|signedCookies|stale|subdomains|xhr|app|pipe|file|files|baseUrl|fresh|hostname|ip|url|ips|method|body|param|params|query|cookies)" | |
| val taintSourcePattern = "(?s)(?i).*" + requestPattern + ".*" | |
| val responsePattern = | |
| "res\\.(append|attachment|cookie|clearCookie|download|end|format|get|json|jsonp|links|location|redirect|render|send|sendFile|sendStatus|set|status|type|vary)" |
prabhu
/ git-scan.sh
Created
June 26, 2020 09:31
Script to perform security scan of top repos on GitHub using ShiftLeft Scan. Use it to produce your own state of the opensource security reports.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env bash | |
| # Script to clone top repos on github based on language and invoke ShiftLeft Scan against the repos to find vulnerabilities | |
| # Use case 1: Scan the top repos on GitHub and write a state of opensource report to criticize opensource! | |
| # Use case 2: Scan the top repos on GitHub and sell your magical security product to guard organizations against opensource vulnerabilities! | |
| CURR_DIR=$(pwd) | |
| mkdir -p reports_dir | |
| mkdir -p work_dir && cd work_dir | |
| # Get the latest scan image | |
| docker pull shiftleft/scan |
prabhu
/ bidi-check.py
Last active
November 2, 2021 15:54
Python: Look for Bi-directional unicode characters in a file or directory. CVE-2021-42574 / https://trojansource.codes/
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # /usr/bin/env python3 | |
| # python3 bidi-check.py <file or directory> | |
| # This script looks for bi-directional unicode characters. Useful to look for CVE-2021-42574 / https://trojansource.codes/ | |
| import argparse | |
| import codecs | |
| import os | |
| import sys | |
| import unicodedata | |
| bidi_dict = {} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # grep -w Bidi_Control /usr/share/unicode/PropList.txt | |
| 061C ; Bidi_Control # Cf ARABIC LETTER MARK | |
| 200E..200F ; Bidi_Control # Cf [2] LEFT-TO-RIGHT MARK..RIGHT-TO-LEFT MARK | |
| 202A..202E ; Bidi_Control # Cf [5] LEFT-TO-RIGHT EMBEDDING..RIGHT-TO-LEFT OVERRIDE | |
| 2066..2069 ; Bidi_Control # Cf [4] LEFT-TO-RIGHT ISOLATE..POP DIRECTIONAL ISOLATE | |
| # Check your files for U+061C, U+200E, U+200F, U+202A, U+202B, U+202C, U+202D, U+202E, U+2066, U+2067, U+2068, U+2069 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # apt install unicode-data | |
| # Copied from /usr/share/unicode/BidiBrackets.txt | |
| # BidiBrackets-13.0.0.txt | |
| # Date: 2019-09-09, 19:31:00 GMT [AG, LI, KW] | |
| # © 2019 Unicode®, Inc. | |
| # Unicode and the Unicode Logo are registered trademarks of Unicode, Inc. in the U.S. and other countries. | |
| # For terms of use, see http://www.unicode.org/terms_of_use.html | |
| # | |
| # Unicode Character Database | |
| # For documentation, see http://www.unicode.org/reports/tr44/ |
NewerOlder