| 2022-10-14 |
Data flow analysis and path exploration in LGTM |
Announcement ‧ s0 |
|
| 2022-10-14 |
Bridging the Gap Between Developers and Security Teams |
Insights ‧ xcorail |
|
| 2022-10-14 |
Introduction to variant analysis with CodeQL and LGTM (Part 1) |
CodeQL ‧ imsolost |
|
| 2022-10-14 |
Introduction to variant analysis with CodeQL and LGTM (part 2) |
Variant Analysis ‧ imsolost |
|
| 2022-10-14 |
Python Security: How to find and fix issues with CodeQL |
CodeQL ‧ alextereshenkov |
|
| 2021-12-22 |
Fuzzing sockets: Apache HTTP, Part 3: Results |
Fuzzing ‧ antonio-morales |
|
| 2021-12-16 |
Updates to the Bug Slayer bug bounty program |
Bounties ‧ team |
|
| 2021-12-13 |
Getting root on Ubuntu through wishful thinking |
CVE ‧ kevinbackhouse |
|
| 2021-11-19 |
Fall of the machines: Exploiting the Qualcomm NPU (neural processing unit) kernel driver |
Android ‧ m-y-mo |
|
| 2021-10-20 |
Chrome in-the-wild bug analysis: CVE-2021-37975 |
Chrome ‧ m-y-mo |
|
| 2021-09-30 |
The fugitive in Java: Escaping to Java to escape the Chrome sandbox |
Chrome ‧ m-y-mo |
|
| 2021-09-28 |
Chrome in-the-wild bug analysis: CVE-2021-30632 |
Chrome ‧ m-y-mo |
|
| 2021-09-21 |
Apache Dubbo: All roads lead to RCE |
CodeQL ‧ pwntester |
|
| 2021-08-10 |
Don’t shoot the emissary |
CodeQL ‧ pwntester |
|
| 2021-08-06 |
Keeping your GitHub Actions and workflows secure Part 3: How to trust your building blocks |
Actions ‧ jarlob |
|
| 2021-07-14 |
Our shared common weaknesses |
Education ‧ darakian |
|
| 2021-07-01 |
Fail2exploit: a security audit of Fail2ban |
Security ‧ kevinbackhouse |
|
| 2021-04-20 |
LiveQL Episode II: The Rhino in the room |
LiveQL ‧ pwntester |
|
| 2021-04-01 |
One day short of a full chain: Part 3 - Chrome renderer RCE |
Chrome ‧ m-y-mo |
|
| 2021-04-01 |
One day short of a full chain: Part 2 - Chrome sandbox escape |
Chrome ‧ m-y-mo |
|
| 2021-04-01 |
One day short of a full chain: Part 1 - Android Kernel arbitrary code execution |
Android ‧ m-y-mo |
|
| 2021-04-01 |
Fuzzing sockets: Apache HTTP, Part 1: Mutations |
Fuzzing ‧ antonio-morales |
|
| 2021-04-01 |
Keeping your GitHub Actions and workflows secure Part 2: Untrusted input |
Actions ‧ jarlob |
|
| 2021-04-01 |
Increased bounty rewards for the GitHub Security Lab community! |
Bounties ‧ team |
|
| 2021-04-01 |
Security Lab research: a year in review |
securitylab ‧ team |
|
| 2021-04-01 |
Keeping your GitHub Actions and workflows secure |
spyc |
|
| 2021-04-01 |
Now you C me, now you don’t, part two: exploiting the in-between |
C ‧ anticomputer |
|
| 2021-04-01 |
Fuzzing sockets: Apache HTTP, Part 2: Custom Interceptors |
Fuzzing ‧ antonio-morales |
|
| 2021-03-17 |
One day short of a full chain: Part 2 - Chrome sandbox escape |
|
|
| 2021-03-11 |
GHSL-2020-277: Unauthorized repository modification or secrets exfiltration in GitHub workflows of w3c/aria-practices |
|
|
| 2021-03-11 |
GHSL-2020-324: Template injection in a GitHub workflow of koriwi/freedeck-configurator |
|
|
| 2021-03-10 |
One day short of a full chain: Part 1 - Android Kernel arbitrary code execution |
|
|
| 2021-03-08 |
GHSL-2020-166: Use-after-free (UaF) in Chrome PaymentCredential - CVE-2020-16018 |
|
|
| 2021-03-08 |
GHSL-2020-165: Use-after-free (UaF) in Chrome PaymentAppServiceBridge - CVE-2020-16045 |
|
|
| 2021-03-08 |
GHSL-2020-167: Use-after-free (UaF) in Chrome AudioHandler - CVE-2020-15972, CVE-2021-21114 |
|
|
| 2021-03-08 |
GHSL-2020-273: Unauthorized repository modification or secrets exfiltration in a GitHub workflow of numworks/epsilon |
|
|
| 2021-03-08 |
GHSL-2020-375: Use-after-free (UaF) in Qualcomm kgsl driver - CVE-2020-11239 |
|
|
| 2021-03-03 |
GHSL-2020-246: Unauthorized repository modification or secrets exfiltration in GitHub workflows of ant-design |
|
|
| 2021-03-03 |
GHSL-2021-008: Unauthorized repository modification or secrets exfiltration in a GitHub workflow of actions-cool/issue-helper |
|
|
| 2021-03-03 |
GHSL-2020-264: Unauthorized repository modification or secrets exfiltration in a GitHub workflow of youan/vant |
|
|
| 2021-03-03 |
GHSL-2020-267: Unauthorized repository modification or secrets exfiltration in GitHub workflows of Antvis repositories |
|
|
| 2021-03-03 |
GHSL-2020-266: Unauthorized repository modification or secrets exfiltration in a GitHub workflow of afc163/surge-preview |
|
|
| 2021-03-03 |
GHSL-2020-269: Unauthorized repository modification or secrets exfiltration in a GitHub workflow of alibaba/hooks |
|
|
| 2021-03-03 |
GHSL-2020-268: Unauthorized repository modification or secrets exfiltration in a GitHub workflow of umijs/dumi |
|
|
| 2021-03-03 |
GHSL-2020-287: Unauthorized repository modification or secrets exfiltration in a GitHub workflow of jdf2e/nutui |
|
|
| 2021-03-03 |
GHSL-2020-270: Unauthorized repository modification or secrets exfiltration in a GitHub workflow of ant-design-colorful |
|
|
| 2021-03-03 |
GHSL-2020-314: Unauthorized repository modification or secrets exfiltration in a GitHub workflow of s4u/pgpverify-maven-plugin |
|
|
| 2021-03-03 |
GHSL-2020-343: ReDoS (Regular Expression Denial of Service) in Vant |
|
|
| 2021-03-03 |
GHSL-2020-349: ReDoS (Regular Expression Denial of Service) in date-and-time - CVE-2020-26289 |
|
|
| 2021-03-03 |
GHSL-2020-048: Remote Code Execution in Apache Velocity - CVE-2020-13936 |
|
|
| 2021-03-03 |
GHSL-2020-265: Unauthorized repository modification or secrets exfiltration in GitHub workflows of didi/cube-ui and didi/mand-mobile |
|
|
| 2021-03-03 |
GHSL-2021-009: Unauthorized repository modification or secrets exfiltration in a GitHub workflow of lijinke666/react-music-player |
|
|
| 2021-03-03 |
Fuzzing sockets: Apache HTTP, Part 1: Mutations |
|
|
| 2021-02-26 |
GHSL-2020-335: Unauthorized repository modification or secrets exfiltration in a GitHub workflow of libpasta |
|
|
| 2021-02-26 |
GHSL-2020-359: ReDoS (Regular Expression Denial of Service) in etherpad-lite |
|
|
| 2021-02-25 |
GHSL-2020-228: Weak JSON Web Token (JWT) signing secret in YApi |
|
|
| 2021-02-25 |
GHSL-2020-329: Unauthorized repository modification or secrets exfiltration in a GitHub workflow of Automattic/jetpack |
|
|
| 2021-02-25 |
GHSL-2021-016: Unauthorized repository modification or secrets exfiltration in a GitHub workflow of Tautulli |
|
|
| 2021-02-25 |
GHSL-2021-048: Unauthorized repository modification or secrets exfiltration in several GitHub workflows of linebender |
|
|
| 2021-02-13 |
GHSL-2020-197: Open redirect vulnerability in Ghost |
|
|
| 2021-02-13 |
GHSL-2020-199: Open redirect vulnerability in Slashify - CVE-2021-3189 |
|
|
| 2021-02-03 |
GHSL-2020-244: Arbitrary code execution and shell command injection in nonebot/nonebot2 workflow |
|
|
| 2021-02-03 |
GHSL-2020-242: Command injection in telegramdesktop/tdesktop workflow |
|
|
| 2021-02-03 |
GHSL-2020-275: Arbitrary code execution in LedgerHQ/ledger-live-desktop workflow |
|
|
| 2021-02-03 |
GHSL-2020-257: The unsafe handling of symbolic links in an unpacking routine in oras - CVE-2021-21272 |
|
|
| 2021-02-03 |
GHSL-2020-327: Arbitrary code execution in dmlc/gluon-cv workflow |
|
|
| 2021-02-03 |
GHSL-2020-316: Arbitrary code execution in indico/newdle workflow |
|
|
| 2021-02-03 |
GHSL-2021-010: Command injection in getsentry/onpremise workflow |
|
|
| 2021-02-03 |
GHSL-2020-232: Command injection in wireapp/wire-webapp workflow |
|
|
| 2021-02-03 |
GHSL-2021-012: Command injection in alan-turing-institute/binderhub-deploy workflow |
|
|
| 2021-02-03 |
GHSL-2021-011: Command injection in itpp-labs workflows |
|
|
| 2021-02-03 |
GHSL-2021-013: Command injection in pythonpune/meetup-talks workflow |
|
|
| 2021-02-03 |
GHSL-2021-014: Command injection in benjamin-maynard/kubernetes-cloud-mysql-backup workflow |
|
|
| 2021-02-03 |
GHSL-2021-015: Command injection in a2o/snoopy workflow |
|
|
| 2021-02-03 |
GHSL-2020-240: Command injection in scikit-learn/scikit-learn workflow |
|
|
| 2021-02-03 |
GHSL-2021-007: Arbitrary code execution and shell command injection in dmlc/gluon-nlp workflows |
|
|
| 2021-02-03 |
GHSL-2020-234: Command injection in DataBiosphere/terra-workspace-manager workflow |
|
|
| 2021-02-03 |
GHSL-2021-006: Arbitrary code execution in Decathlon/vitamin-web workflow |
|
|
| 2021-02-03 |
GHSL-2020-230: Command injection in aws/aws-sam-cli worflow |
|
|
| 2021-02-03 |
GHSL-2021-004: Arbitrary code execution in aeraki workflows |
|
|
| 2021-02-03 |
GHSL-2020-319: Arbitrary code execution in pangeo-data/climpred workflows |
|
|
| 2021-02-03 |
GHSL-2020-371: Arbitrary code execution in tophat workflows |
|
|
| 2021-02-03 |
GHSL-2020-280: Arbitrary code execution in deislabs/akri workflows |
|
|
| 2021-02-03 |
GHSL-2020-370: Arbitrary code execution and shell command injection in rhinstaller/anaconda workflows |
|
|
| 2021-02-03 |
GHSL-2020-274: Arbitrary code execution in v8/v8.dev workflow |
|
|
| 2021-02-03 |
GHSL-2020-369: Arbitrary code execution in nrfconnect/sdk-nrf workflow |
|
|
| 2021-02-03 |
GHSL-2020-245: Arbitrary code execution in strimzi/strimzi-ui workflow |
|
|
| 2021-02-03 |
GHSL-2020-367: Arbitrary code execution in android-password-store/Android-Password-Store workflow |
|
|
| 2021-02-03 |
GHSL-2020-243: Arbitrary code execution in preslavmihaylov/todocheck workflow |
|
|
| 2021-02-03 |
GHSL-2020-334: Arbitrary code execution in gsantner workflows |
|
|
| 2021-02-03 |
GHSL-2020-241: Arbitrary code execution and shell command injection in getsentry/sentry workflow |
|
|
| 2021-02-03 |
GHSL-2020-333: Arbitrary code execution in osohq/oso workflow |
|
|
| 2021-02-03 |
GHSL-2020-239: Command injection in NVIDIA/spark-rapids workflow |
|
|
| 2021-02-03 |
GHSL-2020-332: Arbitrary code execution in a2o/snoopy workflow |
|
|
| 2021-02-03 |
GHSL-2020-233: Command injection in ONSdigital workflows |
|
|
| 2021-02-03 |
GHSL-2020-328: Arbitrary code execution in GoogleCloudPlatform/microservices-demo workflow |
|
|
| 2021-02-03 |
GHSL-2020-231: Command injection in graphql-dotnet workflows |
|
|
| 2021-02-03 |
GHSL-2020-229: Command injection in allenevans/set-env workflow |
|
|
| 2021-02-03 |
GHSL-2021-030: ReDoS (Regular expression Denial of Service in CodeMirror |
|
|
| 2021-02-03 |
GHSL-2020-148: Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) in anjoy8/ChristDDD |
|
|
