Tag
#dependencies
5 posts tagged #dependencies.
-
Analysis · May 20, 2026 · analysis-desk
When the build tool, the GitHub Action, and sudo are the vulnerability
tj-actions, a poisoned GitHub Action; Sudo's chroot bug; 7-Zip's Mark-of-the-Web bypass; Git, FreeType, Erlang/OTP, PHPMailer, Vite, jQuery. The developer-tooling and dependency entries are the supply chain itself getting exploited, the layer beneath the apps you ship.
-
Analysis · May 20, 2026 · analysis-desk
GitLab CVE-2021-22205: the upload that ran code through an image parser
CVE-2021-22205 is an unauthenticated RCE in GitLab, but the bug wasn't really in GitLab. It was in ExifTool, the metadata library GitLab used to process uploaded images. Upload a crafted file, ExifTool parses it, code runs. Image parsers are a recurring RCE vector.
-
Analysis · May 20, 2026 · The Commentary Desk
Everyone remembers patching Log4Shell. Few built the thing that would make the next one easy.
CVE-2021-45046 is the bug that proved the first Log4Shell fix was incomplete, kicking off a patch-the-patch cascade in December 2021. The teams that 'patched Log4j' on day one had to do it again, and again. The durable lesson wasn't speed. It was knowing where the dependency lived.
-
Analysis · May 20, 2026 · The Commentary Desk
Turning on SSO turned on the vulnerability, and turning it back off didn't help
CVE-2022-47966 gave unauthenticated RCE across two dozen ManageEngine products, but only where SAML single sign-on was enabled. The best-practice config was the attack surface, the root cause was a years-stale bundled library, and 'was enabled' counted too.
-
Analysis · May 20, 2026 · analysis-desk
There's no vendor to patch this one. The vulnerable code is inside an app you built.
CVE-2017-11357 is a file-upload-to-RCE flaw in the Telerik UI component. It's not a product on your network you can update; it's a library compiled into web apps your own team shipped, sometimes years ago, often without anyone remembering Telerik is in there.