Spring4shell vulnerability (CVE-2022-22965) enables Remote Code Execution when using the Spring Framework

Subscribe for expert insights to protect your applications.
Thanks! Your subscription has been recorded.
Spring4shell vulnerability (CVE-2022-22965) enables Remote Code Execution when using the Spring Framework
Spring4shell vulnerability (CVE-2022-22965) enables Remote Code Execution when using the Spring Framework
By the end of the post, you’ll understand what mass assignment is and how it leads to a vulnerability. We’ll also look at some examples and understand its impact on business.
Security and IT teams need to tackle this problem in a structured process that takes into account API application security best practices and procedures that constantly evaluate an organization’s APIs.
A look at the challenges teams face with mitigating Log4j vulnerabilities (i.e. Log4Shell) and how Traceable AI closes those gaps.
The new Log4j vulnerability (Log4Shell) has gotten the Internet up in arms. There are active exploits and scanning for the vulnerability is rampant. The vulnerability is widespread and will take time to resolve everywhere. Here’s how can Traceable AI help.
A popular fairy tale told in IT circles is that the internet is built on a perfectly orchestrated 7-layer stack. A popular extension of this notion is that enterprises can secure their infrastructure using a layered approach to security. Like most fairy tales, there is some truth in these stories.
December has finally come and Traceable AI has released a whole new suite of software features for our customers, with the continued aim of ensuring the best API Security solution on the market.
We are pleased to announce that Traceable AI has added a new agentless deployment option of traffic mirroring for customers who wish to deploy an API security solution to protect their API-driven applications.
In 2019, I hacked 30 bank mobile apps and APIs in coordination with domestic and international financial services and FinTech companies. In 2020-2021, I hacked 30 mobile health (mHealth) apps and FHIR APIs in coordination with healthcare providers, giving me access to thousands of patient records via their APIs due to broken authentication and authorization vulnerabilities. This year, in coordination with federal and state law enforcement agencies, I was able to take remote control of law enforcement vehicles through the automaker’s APIs.
Bold security threats are giving rise to a new industry of API-specific security capabilities much more powerful than current management tools.
In this article, I dig into the details about Broken Object Level Authorization (BOLA) — the most common and most severe API vulnerability today according to the OWASP API Security Project. Insecure Direct Object Reference (IDOR) and BOLA are the same thing. The name was changed from IDOR to BOLA as part of the project.
The majority of organizations rely heavily on third-party web applications connected through APIs to generate revenue and serve customers. In many cases, these web applications contain security vulnerabilities.
As part of DevSecOps best practices, modern application developers and security teams should borrow techniques from crime scene forensics to investigate and protect against attacks.
Today marks an exciting milestone for us and for the security industry overall. Today, we are announcing the industry’s first free API security solution.
Teams need to address three core elements to develop an effective yet scalable model for API security.
The president of the United States signed an Executive Order on improving the Nation’s Cybersecurity. It covers many things, one of which is zero trust architecture. What does this mean?
Attackers have learned to defeat traditional ‘moat around the castle’ perimeter defenses. Modern application security tools offer the answer: distributed tracing and AI that understands the app they protect.
When a security expert tested several dozen mobile health applications, all had API vulnerabilities that could leak personal information. This should be a warning call.
Everything You Need to Know About Authentication and Authorization in Web APIs – Part 2
Attackers are listening to your API chatter, finding vulnerabilities that reveal valuable (and personal) data. Here’s what developers should consider to protect against excessive data exposure.
Part 1: Technologies used to create web applications have fundamentally changed. Authentication and authorization techniques must change with them.
DAST tools provide pentesters with a hacker’s-eye-view of system vulnerabilities. What are the advantages and disadvantages of this important security tool?
SecOps keeps production environments safe. Now, “shifting left” approaches are needed to secure production applications and APIs.
New tech transform dev – but with risk
Moving from local monoliths to cloud based microservices
API Security and the SolarWinds Breach: a wake up call
What if we could reduce the time to detect a cyber attack all the way down to zero?
The popularity of cloud-based computing has made API security the next big challenge…
Six factors to get right when planning Kubernetes architecture.
Cybersecurity is a key part of enterprise risk management in financial services
How do you know your apps are protected?
Common internal and external threats and the Zero Trust practices to address them.
PartII: API Security in Modern Applications
A Practitioner’s View
Part I: What are Modern Applications