Attack of the clones 2: Git CLI remote code execution strikes back

Introduction This post is the second part of the story of a vulnerability that could be leveraged as a supply chain attack and used to hack millions of software developers around the world. We will describe all details about CVE-2020-26233, a vulnerability affecting all versions below 2.0.280 of Git Credential Manager Core in Github CLI […]

Attack of the clones: Git clients remote code execution

Introduction This post is a rather unusual story of a vulnerability that could be leveraged as a supply chain attack and used to attack millions of software developers around the world. It is also a tale of a bug collision that paid a bounty to one reporter and assigned the CVE to another! The main […]

Security advisory: Mattermost Mobile for iOS v1.31.0 Authentication Token Leakage and Account Takeover

Advisory information Title: Mattermost Mobile for iOS Authentication Token Leakage and Account Takeover Advisory reference: BLAZE-05-2020 Product: Mattermost Mobile Client for iOS v1.31.0 (Build 293) CVE reference: CVE-2020-13891 Vendor reference: MMSA-2020-0022 Disclosure mode: Coordinated disclosure Product description Mattermost is a flexible, open source messaging platform that enables secure team collaboration. The product is used in […]

Security advisory: Mullvad VPN client for Windows 2020.3 local privilege escalation

Advisory information Title: Mullvad VPN client for Windows 2020.3 local privilege escalation Advisory reference: BLAZE-03-2020 Product: Mullvad 2020.3 for Windows CVE reference: CVE-2020-14197 Disclosure mode: Coordinated Product description Mullvad is a Sweden-based VPN provider with a strong focus on privacy. It has been in business for over 10 years and has a track record in […]

Security advisory: i2p for Windows local privilege escalation

Advisory information Title: i2p for Windows local privilege escalation Advisory reference: BLAZE-02-2020 Product: i2p 0.7.5 to 0.9.45 for Windows CVE reference: CVE-2020-13431 Disclosure mode: Coordinated Product description i2p (The Invisible Internet Project) is an anonymous network, exposing a simple layer that applications can use to anonymously and securely send messages to each other. Frequently, I2P […]