JavaScript is not available.

Mar 23, 2022

We’re launching a series of office hours for open source maintainers! Do you need advice to secure your project’s code? Grab some time to chat with our team. Spots are limited and run until end of April github.co/36GvaIC

Bypassing OGNL sandboxes for fun and charities | The GitHub Blog

Alvaro Muñoz

@pwntester

Jan 27

Had some fun with OGNL sandboxes last year. Read how I bypassed Atlassian Confluence and Struts ones in my latest blog post

github.blog

Object Graph Notation Language (OGNL) is a popular, Java-based, expression language used in popular frameworks and applications, such as Apache Struts and Atlassian Confluence. Learn more about...

170

Jan 26

GHSL-2022-132_GHSL-2022-133: Server-Side Request Forgery (SSRF) and Path Injection in Metersphere - CVE-2022-23544, CVE-2022-23512

GHSL-2022-132_GHSL-2022-133: Server-Side Request Forgery (SSRF) and Path Injection in Metersphere -...

Metersphere is vulnerable to Server-Side Request Forgery and Path Injection.

Pwning the all Google phone with a non-Google bug | The GitHub Blog

It turns out that the first "all Google" phone includes a non-Google bug. Join

@mmolgtm

on his journey through reporting the bug, and the exploit used to gain arbitrary kernel code execution and root on a Pixel 6 from an Android app.

github.blog

It turns out that the first “all Google” phone includes a non-Google bug. Learn about the details of CVE-2022-38181, a vulnerability in the Arm Mali GPU. Join me on my journey through reporting the...

GHSL-2022-054: Use-after-free (UAF) in the Arm Mali Kernel driver - CVE-2022-38181

GHSL-2022-054: Use-after-free (UAF) in the Arm Mali Kernel driver - CVE-2022-38181

Use-after-free in the Arm Mali GPU kernel driver

GHSL-2022-074: Arithmetic overflow in sysstat - CVE-2022-39377

GHSL-2022-074: Arithmetic overflow in sysstat - CVE-2022-39377

On 32 bit systems, an arithmetic overflow present in allocate_structures can be triggered when displaying activity data files and may lead to a variety of exploit primitives due to an incorrectly...

GHSL-2023-004: Arbitrary file upload and download in act - CVE-2023-22726

GHSL-2023-004: Arbitrary file upload and download in act - CVE-2023-22726

The artifact server that stores artifacts from GitHub Action runs does not sanitize path inputs. This allows an attacker to download and overwrite arbitrary files on the host from a GitHub Action.

If you are attending

tomorrow, make sure to catch

@taladrane

presenting with

@JLLeitschuh

about the work done in

@theopenssf

to help security researchers with open source vulnerability disclosure ✨ Read the full guide here: github.com/ossf/oss-vulne

Jan 17

This Wednesday, we are at

@NDC_Conferences

in Oslo, Norway! Join

@jkcso

to discover Security as Code (SaC) and the latest initiatives we pursue to secure open source.

I'll be at the

booth at #CyberThreat. Stop by if you'd like to chat about open source security!

Quote Tweet

SANS Institute, EMEA

@SANSEMEA

Jan 15

Tomorrow doors open for #CyberThreat22 We hope you enjoy all that #CyberThreat22 and #London

has to offer

Registration starts at 08:00 – 10:00 | Chablis Suite | Novotel London West

sans.org/u/1mfN Follow #CyberThreat22 for live social updates during the event

GitHub Community

@GitHubCommunity

Jan 12

In software development, we often neglect security, but it's vital. That’s why we’re highlighting Metasploit -- the world’s most used penetration testing framework. We'll chat with

@zeroSteiner

on twitch.tv/github on Jan 13 at 1 pm ET. RSVP: tinyurl.com/osfriday

Secure your codebase with Metasploit featuring Spencer McIntyre and Rizel Scarlett

read image description

ALT

NULLCON

@nullcon

Jan 4

Sponsor Alert! 🙌We are excited to Welcome

as Workshop Sponsor at #NullconBerlin 😎Meet folks #securing the #opensource & network with incredible #infosec minds Go grab your tickets👉bit.ly/3Tq3Em2 #NullconDE2023 #GreenCon #Conference #Cybersecurity

Paulino Calderon

@calderpwn

Dec 29, 2022

Woah, the end of the year is upon us. One of the funner activities I participated in this year was a panel with the

@github

and

Can we fix vulnerability reporting in open source? - Universe 2022

teams about fixing vulnerability reporting in open source. Re-watch the session here:

youtube.com

This panel is tackling one of the thorniest problems in open source: how to make vulnerability reporting simple, secret, and stress-free. Learn about the com...

Hello CTF lovers! Learn about the design behind the challenges that GitHub created for

@ekoparty

's #EKO2022 main CTF

github.blog

GitHub and the Ekoparty 2022 Capture the Flag | The GitHub Blog

Learn about the design behind, and solutions to, several of GitHub’s CTF challenge for Ekoparty’s 2022 event!

Dec 22, 2022

GHSL-2021-1009: URL access filters bypass in Alpine - CVE-2022-23553

GHSL-2021-1009: URL access filters bypass in Alpine - CVE-2022-23553

URL access filters (block and allow list) are subject to be bypassed

Dec 22, 2022

GHSL-2021-1010: Authentication bypass in Alpine - CVE-2022-23554

GHSL-2021-1010: Authentication bypass in Alpine - CVE-2022-23554

The AuthenticationFilter can be bypassed

Dec 22, 2022

GHSL-2022-061: Bearer token disclosure in ghinstallation - CVE-2022-39304

GHSL-2022-061: Bearer token disclosure in ghinstallation - CVE-2022-39304

Bearer token gets disclosed when there is an error during token renewal

Dec 19, 2022

GHSL-2022-112_GHSL-2022-115: Remote denial of service in Linux kernel WILC1000 wireless driver - CVE-2022-47518, CVE-2022-47519, CVE-2022-47520, CVE-2022-47521

GHSL-2022-112_GHSL-2022-115: Remote denial of service in Linux kernel WILC1000 wireless driver -...

Multiple vulnerabilities in the Linux kernel Microchip WILC1000 802.11 wireless driver can allow remote and local attackers to trigger a denial of service when parsing management frames.

Dec 16, 2022

Collaboration is the name of the game! Let's provide OWASP with feedback through this survey so that we can improve the user experience for all.

Quote Tweet

owasp

@owasp

Dec 15, 2022

Help needed! Together with Netguru we're conducting a user experience study to understand how people use owasp.org today, what works and what doesn't and to be able to change it for the better. Survey takes 3 minutes! - netguru.typeform.com/to/fxi3Qlp8

Dec 16, 2022

GHSL-2022-070_GHSL-2022-072: SQL injection in Arches - CVE-2022-41892

GHSL-2022-070_GHSL-2022-072: SQL injection in Arches - CVE-2022-41892

The Arches project contains multiple blind SQL injection vulnerabilities, that allow an attacker to query the underlying database.

Dec 9, 2022

GHSL-2022-028: Copy/paste cross-site scripting (XSS) in codex-team

GHSL-2022-028: Copy/paste cross-site scripting (XSS) in codex-team

codex-team/editor.js is vulnerable to XSS attacks when copy/pasting specially crafted input into the editor.

Dec 9, 2022

GHSL-2022-130: Out-of-bounds (OOB) read in openrazer - CVE-2022-23467

GHSL-2022-130: Out-of-bounds (OOB) read in openrazer - CVE-2022-23467

A malicious device can send a USB report to the openrazer razermouse driver, resulting in an out-of-bounds (OOB) read.

Dec 8, 2022

🎉 CoPilot for CodeQL queries to find security bugs!

GHSL-2022-068: Remote Code Execution (RCE) in PDFMake - CVE-2022-46161

GHSL-2022-068: Remote Code Execution (RCE) in PDFMake - CVE-2022-46161

The dev-playground of pdfmake lacks sandboxing/sanitization of the data sent to the server, which flows to eval().

KITCTF

@KITCTF

Dec 6, 2022

The CTF will be jeopardy-style with challenges from all major categories such as crypto, pwn, reversing, web, misc and more exotic ones like #CodeQL as well. If you ever wanted to try CodeQL, this is your excuse for spending time on it :P Prizes: 1st: $500 2nd: $300 3rd: $200

Quote Tweet

KITCTF

@KITCTF

Dec 3, 2022

We are proud to announce our first ever CTF! It starts on the next weekend already, so don't miss it

Date: Friday, 09 Dec. 2022, 18:00 UTC - Saturday, 10 Dec. 2022, 23:59 UTC More information at ctf.kitctf.me

Show this thread

Thanks to

and

for helping us by reporting a serious security vulnerability. We take security very seriously and managed to patch the issue within one hour. You can find more details about the vulnerability in the quoted article.

Quote Tweet

GHSL-2022-069: Remote Code Execution (RCE) in CircuitVerse - CVE-2022-36038 securitylab.github.com/advisories/GHS

intrigus

@intrigus_

Nov 25, 2022

(1/2) Very happy that my JWT query has been highlighted by

@XCorail

from the

at #githubuniverse as an example for community-driven security contributions. See intrigus.org/research/2022/ for the high-quality and slightly longer version!

And to celebrate CodeQL for Ruby, we launched a special and limited program as part of our CodeQL bounty program, with up to $2000 bonus for high quality submissions. Secure open source and get rewarded. Check it out:

Securing the world’s software, together

Bounties

ICYMI GitHub announced the general availability of #CodeQL for Ruby 🎉 The RCE and DoS that

@ulldma

disclosed today in Ruby open source projects were found thanks to CodeQL: securitylab.github.com/advisories GHSL-2022-073, GHSL-2022-067 and GHSL-2022-063.

Securing the world’s software, together

Advisories

GHSL-2022-073: Denial of Service (DoS) in Fat Free CRM - CVE-2022-39281

GHSL-2022-073: Denial of Service (DoS) in Fat Free CRM - CVE-2022-39281

A denial of service vulnerability existed in Fat Free CRM where an authenticated attacker could have prevented the web application from handling any requests.

GHSL-2022-069: Remote Code Execution (RCE) in CircuitVerse - CVE-2022-36038

GHSL-2022-069: Remote Code Execution (RCE) in CircuitVerse - CVE-2022-36038

A remote code execution (RCE) vulnerability in CircuitVerse allowed authenticated attackers to execute arbitrary code via specially crafted JSON payloads.

GHSL-2022-067: Remote Code Execution (RCE) in Fluentd - CVE-2022-39379

GHSL-2022-067: Remote Code Execution (RCE) in Fluentd - CVE-2022-39379

A remote code execution (RCE) vulnerability in non-default configurations of Fluentd allowed unauthenticated attackers to execute arbitrary code via specially crafted JSON payloads.

GHSL-2022-063: Remote Code Execution (RCE) in Arvados Workbench - CVE-2022-36006

GHSL-2022-063: Remote Code Execution (RCE) in Arvados Workbench - CVE-2022-36006

A remote code execution (RCE) vulnerability in the Arvados Workbench allowed authenticated attackers to execute arbitrary code via specially crafted JSON payloads.

We are proud to sponsor #GreHack22. Tomorrow,

@jkcso

and

@yarlob

will run a CodeQL workshop where you can learn the basics of CodeQL through real-world examples! "Can't Grep This!" grehack.fr/2022/workshops

Quote Tweet

GreHack

@GrehackConf

Nov 8, 2022

Hey folks! The #GreHack22 sponsors week continues. Today we would like to thank our 32 bits sponsors @Synacktiv, @RandoriSec and @GHSecurityLab!

How to enable it:

NEW Security Feature: 🎉 PRIVATE VULNERABILITY REPORTING 🎉

127

This Tuesday, we are at #OSMC in Nuremberg, Germany! Join us to learn more about Security as Code (SaC) and the latest initiatives we pursue to secure open source.

Quote Tweet

NETWAYS Events

@NetwaysEvents

Nov 5, 2022

In his #OSMC talk @jkcso from @GHSecurityLab will review lessons learned from #DevOps to implement a thriving #DevSecOps culture. Check it out for more: osmc.de/talks/a-mainta

is on the Main Stage talking about how GitHub uses GitHub to build GitHub, joined by our very own

@XCorail

covering security and CodeQL! #GitHubUniverse