CISA, FBI urge developers to patch path traversal bugs before shipping
- by nlqip
The advisory noted that despite approaches to avoid directory traversal vulnerabilities being readily available, their exploitation by threat actors is still on the rise, especially to impact critical services including hospital and school operations.
The prevalence of such vulnerabilities is apparent through CISA’s current listing of 58 path traversal vulnerabilities in its known exploited vulnerabilities (KEV) catalog.
Mitigations include auto-indexing or type limitation in file names
The advisory encourages developers to use “well-known and effective mitigations” to help prevent directory traversal vulnerabilities. These include generating an identifier for each file and storing associated metadata separately, and if that’s not possible, limiting the type of characters that can be supplied in the file names.
CISA pointed out that the above steps can also be applied in the case of cloud services, as they too are affected by these vulnerabilities, in conjunction with other known best approaches.
“CISA and FBI encourage manufacturers to learn how to protect their products from falling victim to these exploits and other preventable malicious activities in accordance to three advised principles,” the advisory added.
These principles include taking ownership of customer security outcomes, embracing transparency and accountability, and deploying organizational structure and leadership to achieve these goals.
Source link
lol
The advisory noted that despite approaches to avoid directory traversal vulnerabilities being readily available, their exploitation by threat actors is still on the rise, especially to impact critical services including hospital and school operations. The prevalence of such vulnerabilities is apparent through CISA’s current listing of 58 path traversal vulnerabilities in its known exploited vulnerabilities…
Recent Posts
- Bob Sullivan Discovers a Scam That Strikes Twice
- A Vulnerability in Apache Struts2 Could Allow for Remote Code Execution
- CISA Adds One Known Exploited Vulnerability to Catalog | CISA
- Xerox To Buy Lexmark For $1.5B In Blockbuster Print Deal
- Vulnerability Summary for the Week of December 16, 2024 | CISA