Supply chain security
Over a few years, the software supply-chain has gone from being a largely ignored part of the development lifecycle to a deeply researched and utilized attack vector for adversaries. These adversaries discover new attack surface again and again as well as how to achieve massive impact. From a defenders point of view, your own stack can be secure, but if your supply-chain is left untouched, unexamined and unscrutinized, you don’t know what attackers know about an important piece of attack surface.
Secure your supply chain at every stage
Development-stage risks
During development, you don’t process user data, you don’t use production keys, you don’t use production server credentials, yet, adversaries can still compromise your development pipeline to a degree where they can escalate their privileges to production.
Build and release
Build and release pipelines have many entrypoints and exposed attack surface that adversaries will use to compromise your system. This can result in compromised binaries or other artifacts that will allow adversaries to compromise your users.
Runtime and production
Your production deployment also has a supply-chain with security risk. Attackers can manifest themselves in your supply-chain in such a manner that they can compromise your production use case - even though your development, build and release pipelines are secure.
Your supply-chain’s supply-chain
You can have done your part to secure your own, internal supply-chain, but do you know how your dependencies treat their own pipeline? Do they have secure processes, or can an adversary escalate a position from your dependencies’ supply-chain into your systems?
Our supply-chain services
Threat modelling

We can threat model your supply-chain to identify its attack surface, threat actors, trust zones and trust flow and security controls.

Auditing

We can audit your supply-chain to identify risks and potential attacks on your supply-chain.

Security engineering

We can take on complete projects or assist in security engineering engagement to get more insight into your supply chain or harden it.

Open and closed source

Our services apply to both open source and closed source supply chains whether they are fully open source or partly open source.

Cloud

We can work in cloud and non-cloud enviroments. Our services apply to both.

Talk to us now about your supply-chain security
Contact Us
Sample Open Source Vulnerabilities

We have found vulnerabilities in the biggest and most widely used open-source software projects.

20/11-2024
Cert-Manager
Potential slowdown / DoS when parsing specially crafted PEM inputs
Low
ID:
GHSA-r4pg-vg54-wxx4
Published:
20/11-2024
Project:
Cert-Manager
https://github.com/cert-manager/cert-manager/security/advisories/GHSA-r4pg-vg54-wxx4
18/10-2024
Keycloak
org.keycloak:keycloak-services has Inefficient Regular Expression Complexity
High
ID:
CVE-2024-10270
Published:
18/10-2024
Project:
Keycloak
https://github.com/advisories/GHSA-wq8x-cg39-8mrr
1/10-2024
Go-TUF
Incorrect delegation lookups can make go-tuf download the wrong artifact
High
ID:
CVE-2024-47534
Published:
1/10-2024
Project:
Go-TUF
https://github.com/advisories/GHSA-4f8r-qqr9-fq8j
30/9-2024
expressjs/basic-auth-connect
basic-auth-connect's callback uses time unsafe string comparison
Low
ID:
CVE-2024-47178
Published:
30/9-2024
Project:
expressjs/basic-auth-connect
https://github.com/advisories/GHSA-7p89-p6hx-q4fw
10/9-2024
expressjs/body-parser
body-parser vulnerable to denial of service when url encoding is enabled
High
ID:
CVE-2024-45590
Published:
10/9-2024
Project:
expressjs/body-parser
https://github.com/advisories/GHSA-qwcr-r2fm-qrc7
10/9-2024
Express.js
express vulnerable to XSS via response.redirect()
Low
ID:
CVE-2024-43796
Published:
10/9-2024
Project:
Express.js
https://github.com/advisories/GHSA-qw6h-vgh9-j6wx
10/9-2024
pillarjs/send
send vulnerable to template injection that can lead to XSS
Low
ID:
CVE-2024-43799
Published:
10/9-2024
Project:
pillarjs/send
https://github.com/advisories/GHSA-m6fv-jmcg-4jfg
4/9-2024
Sigstore-go
sigstore-go has an unbounded loop over untrusted input can lead to endless data attack
Low
ID:
CVE-2024-45395
Published:
4/9-2024
Project:
Sigstore-go
https://github.com/advisories/GHSA-cq38-jh5f-37mq
18/6-2024
Minder
Minder affected by denial of service from maliciously configured Git repository
Moderate
ID:
CVE-2024-37904
Published:
18/6-2024
Project:
Minder
https://github.com/advisories/GHSA-hpcg-xjq5-g666
27/5-2024
Minder
Denial of service of Minder Server from maliciously crafted GitHub attestations
Moderate
ID:
CVE-2024-35238
Published:
27/5-2024
Project:
Minder
https://github.com/advisories/GHSA-8fmj-33gw-g7pw
20/5-2024
Minder
Stacklok Minder vulnerable to denial of service from maliciously crafted templates
Moderate
ID:
CVE-2024-35194
Published:
20/5-2024
Project:
Minder
https://github.com/advisories/GHSA-crgc-2583-rw27
16/5-2024
Minder
Denial of service of Minder Server with attacker-controlled REST endpoint
Moderate
ID:
CVE-2024-35185
Published:
16/5-2024
Project:
Minder
https://github.com/advisories/GHSA-fjw8-3gp8-4cvx
15/5-2024
fastify-secure-session
@fastify/secure-session: Reuse of destroyed secure session cookie
High
ID:
CVE-2024-31999
Published:
15/5-2024
Project:
fastify-secure-session
https://github.com/advisories/GHSA-9wwp-q7wq-jx35
7/5-2024
Minder
Minder's GitHub Webhook Handler vulnerable to DoS from un-validated requests
High
ID:
CVE-2024-34084
Published:
7/5-2024
Project:
Minder
https://github.com/advisories/GHSA-9c5w-9q3f-3hv7
10/4-2024
Sigstore Cosign
Cosign malicious attachments can cause system-wide denial of service
Moderate
ID:
CVE-2024-29902
Published:
10/4-2024
Project:
Sigstore Cosign
https://github.com/advisories/GHSA-88jx-383q-w4qc
10/4-2024
Sigstore Cosign
Cosign malicious artifacts can cause machine-wide DoS
Moderate
ID:
CVE-2024-29903
Published:
10/4-2024
Project:
Sigstore Cosign
https://github.com/advisories/GHSA-95pr-fxf5-86gv
ID:
CVE-2023-46738
Published:
3/1-2024
Project:
Knative Serving
https://github.com/advisories/GHSA-qc6v-g3xw-grmx
3/1-2024
CubeFS
Authenticated users can crash the CubeFS servers with maliciously crafted requests
High
ID:
CVE-2023-46738
Published:
3/1-2024
Project:
CubeFS
https://github.com/advisories/GHSA-qc6v-g3xw-grmx
3/1-2024
CubeFS
CubeFS timing attack can leak user passwords
High
ID:
CVE-2023-46739
Published:
3/1-2024
Project:
CubeFS
https://github.com/advisories/GHSA-8579-7p32-f398
3/1-2024
CubeFS
Insecure random string generator used for sensitive data
High
ID:
CVE-2023-46740
Published:
3/1-2024
Project:
CubeFS
https://github.com/advisories/GHSA-4248-p65p-hcrm
3/1-2024
CubeFS
CubeFS leaks magic secret key when starting Blobstore access service
High
ID:
CVE-2023-46741
Published:
3/1-2024
Project:
CubeFS
https://github.com/advisories/GHSA-8h2x-gr2c-c275
3/1-2024
CubeFS
CubeFS leaks users key in logs
Moderate
ID:
CVE-2023-46742
Published:
3/1-2024
Project:
CubeFS
https://github.com/advisories/GHSA-vwch-g97w-hfg2
27/11-2023
Knative Serving
Knative Serving vulnerable to attacker-controlled pod causing denial of service of autoscaler
Moderate
ID:
CVE-2023-48713
Published:
27/11-2023
Project:
Knative Serving
https://github.com/advisories/GHSA-qmvj-4qr9-v547
13/11-2023
Kyverno
Attacker can cause Kyverno user to unintentionally consume insecure image
High
ID:
CVE-2023-47630
Published:
13/11-2023
Project:
Kyverno
https://github.com/advisories/GHSA-3hfq-cx9j-923w
7/11-2023
Sigstore Cosign
Cosign vulnerable to possible endless data attack from attacker-controlled registry
Low
ID:
CVE-2023-46737
Published:
7/11-2023
Project:
Sigstore Cosign
https://github.com/advisories/GHSA-vfp6-jrw2-99g9
7/11-2023
Crossplane
Possible image tampering from missing image validation for Packages
High
ID:
CVE-2023-38495
Published:
7/11-2023
Project:
Crossplane
https://github.com/advisories/GHSA-pj4x-2xr5-w87m
29/9-2023
Apache Avro Java SDK
Apache Avro Java SDK: Memory when deserializing untrusted data in Avro Java SDK
High
ID:
CVE-2023-39410
Published:
29/9-2023
Project:
Apache Avro Java SDK
https://lists.apache.org/thread/q142wj99cwdd0jo5lvdoxzoymlqyjdds
27/7-2023
Crossplane
Denial of service from large image
Low
ID:
CVE-2023-37900
Published:
27/7-2023
Project:
Crossplane
https://github.com/advisories/GHSA-68p4-95xf-7gx8
16/7-2023
Avro
avro vulnerable to denial of service via attacker-controlled parameter
High
ID:
CVE-2023-37475
Published:
16/7-2023
Project:
Avro
https://github.com/advisories/GHSA-9x44-9pgq-cf45
13/07-2023
Istio
Unauthenticated control plane denial of service attack in Istio
High
ID:
CVE-2022-23635
Published:
13/07-2023
Project:
Istio
https://github.com/advisories/GHSA-856q-xv3c-7f2f
6/6-2023
Notation
Notation vulnerable to denial of service from high number of artifact signatures
Moderate
ID:
CVE-2023-33957
Published:
6/6-2023
Project:
Notation
https://github.com/advisories/GHSA-9m3v-v4r5-ppx7
6/6-2023
Notation
Notation's default `maxSignatureAttempts` in `notation verify` enables an endless data attack
Moderate
ID:
CVE-2023-33958
Published:
6/6-2023
Project:
Notation
https://github.com/advisories/GHSA-rvrx-rrwh-r9p6
6/6-2023
Notation-go
notation-go's verification bypass can cause users to verify the wrong artifact
Moderate
ID:
CVE-2023-33959
Published:
6/6-2023
Project:
Notation-go
https://github.com/advisories/GHSA-xhg5-42rf-296r
11/5-2023
Vitess
VTAdmin users that can create shards can deny access to other functions
Moderate
ID:
CVE-2023-29195
Published:
11/5-2023
Project:
Vitess
https://github.com/advisories/GHSA-pqj7-jx24-wj7w
3/5-2023
Rekor
Rekor's compressed archives can result in OOM conditions
High
ID:
CVE-2023-30551
Published:
3/5-2023
Project:
Rekor
https://github.com/advisories/GHSA-2h5h-59f5-c5x9
11/4-2023
Vitess
Vitess allows users to create keyspaces that can deny access to already existing keyspaces
Moderate
ID:
CVE-2023-29194
Published:
11/4-2023
Project:
Vitess
https://github.com/advisories/GHSA-735r-hv67-g38f
9/3-2023
Crossplane-runtime
fieldpath's Paved.SetValue allows growing arrays up to arbitrary sizes in crossplane-runtime
Moderate
ID:
CVE-2023-27483
Published:
9/3-2023
Project:
Crossplane-runtime
https://github.com/advisories/GHSA-vfvj-3m3g-m532
9/3-2023
Crossplane
Crossplane-runtime contains Improper Input Validation via Compositions
Moderate
ID:
CVE-2023-27484
Published:
9/3-2023
Project:
Crossplane
https://github.com/advisories/GHSA-v829-x6hh-cqfq
20/2-2023
Helm
notation-go has excessive memory allocation on verification
High
ID:
CVE-2023-25656
Published:
20/2-2023
Project:
Helm
https://github.com/advisories/GHSA-87x9-7grx-m28v
16/2-2023
containerd
OCI image importer memory exhaustion
Moderate
ID:
CVE-2023-25153
Published:
16/2-2023
Project:
containerd
https://github.com/advisories/GHSA-259w-8hf6-59c2
27/1-2023
ArgoCD
Argo CD certificate verification is skipped for connections to OIDC providers
High
ID:
CVE-2022-31105
Published:
27/1-2023
Project:
ArgoCD
https://github.com/advisories/GHSA-7943-82jg-wmw5
14/12-2022
Helm
Helm vulnerable to denial of service through string value parsing
Moderate
ID:
CVE-2022-23524
Published:
14/12-2022
Project:
Helm
https://github.com/advisories/GHSA-6rx9-889q-vv2r
14/12-2022
Helm
Helm vulnerable to denial of service through through repository index file
Moderate
ID:
CVE-2022-23525
Published:
14/12-2022
Project:
Helm
https://github.com/advisories/GHSA-53c4-hhmh-vw5q
14/12-2022
Helm
Helm vulnerable to denial of service through schema file
Moderate
ID:
CVE-2022-23526
Published:
14/12-2022
Project:
Helm
https://github.com/advisories/GHSA-67fx-wx78-jx33
14/10-2022
Golang
Reader.Read does not set a limit on the maximum size
High
ID:
CVE-2022-2879
Published:
14/10-2022
Project:
Golang
https://github.com/advisories/GHSA-fqpx-62jv-7r6r
14/10-2022
Golang
golang.org/x/text/language Denial of service via crafted Accept-Language header
High
ID:
CVE-2022-32149
Published:
14/10-2022
Project:
Golang
https://github.com/advisories/GHSA-69ch-w2m2-3vjp
3/10-2022
Jackson-Databind
Uncontrolled Resource Consumption in FasterXML jackson-databind
High
ID:
CVE-2022-42004
Published:
3/10-2022
Project:
Jackson-Databind
https://github.com/advisories/GHSA-rgv9-q543-rqg4
24/8-2022
Helm
Helm Vulnerable to denial of service through string value parsing
Moderate
ID:
CVE-2022-36055
Published:
24/8-2022
Project:
Helm
https://github.com/advisories/GHSA-7hfp-qfw3-5jxh
24/8-2022
Jackson-Databind
Uncontrolled Resource Consumption in Jackson-databind
High
ID:
CVE-2022-42003
Published:
24/8-2022
Project:
Jackson-Databind
https://github.com/advisories/GHSA-jjjh-jjxp-wpff
12/7-2022
ArgoCD
Argo CD SSO users vulnerable to Cross-site Scripting
Low
ID:
CVE-2022-31102
Published:
12/7-2022
Project:
ArgoCD
https://github.com/advisories/GHSA-pmjg-52h9-72qv
13/7-2022
containerd
Insecure path traversal in Git Trigger Source can lead to arbitrary file read
High
ID:
CVE-2022-25856
Published:
13/7-2022
Project:
containerd
https://github.com/advisories/GHSA-qpgx-64h2-gc3cw
11/7-2022
KubeEdge
KubeEdge Edge ServiceBus module DoS
Moderate
ID:
CVE-2022-31073
Published:
11/7-2022
Project:
KubeEdge
https://github.com/advisories/GHSA-vwm6-qc77-v2rh
11/7-2022
KubeEdge
KubeEdge Cloud AdmissionController component DoS
Moderate
ID:
CVE-2022-31074
Published:
11/7-2022
Project:
KubeEdge
https://github.com/advisories/GHSA-w52j-3457-q9wr
11/7-2022
KubeEdge
KubeEdge DoS when signing the CSR from EdgeCore
Moderate
ID:
CVE-2022-31075
Published:
11/7-2022
Project:
KubeEdge
https://github.com/advisories/GHSA-x3px-2p95-f6jr
11/7-2022
KubeEdge
KubeEdge CloudCore Router memory exhaustion vulnerability
Moderate
ID:
CVE-2022-31078
Published:
11/7-2022
Project:
KubeEdge
https://github.com/advisories/GHSA-qpx3-9565-5xwm
11/7-2022
KubeEdge
KubeEdge Cloud Stream and Edge Stream DoS from large stream message
Moderate
ID:
CVE-2022-31079
Published:
11/7-2022
Project:
KubeEdge
https://github.com/advisories/GHSA-wrcr-x4qj-j543
11/7-2022
KubeEdge
DoS in KubeEdge's Websocket Client in package Viaduct
Moderate
ID:
CVE-2022-31080
Published:
11/7-2022
Project:
KubeEdge
https://github.com/advisories/GHSA-6wvc-6pww-qr4r
26/6-2022
KubeEdge
CloudCore CSI Driver: Malicious response from KubeEdge can crash CSI Driver controller server
Moderate
ID:
CVE-2022-31077
Published:
26/6-2022
Project:
KubeEdge
https://github.com/advisories/GHSA-x938-fvfw-7jh5
24/6-2022
KubeEdge
CloudCore UDS Server: Malicious Message can crash CloudCore
Moderate
ID:
CVE-2022-31076
Published:
24/6-2022
Project:
KubeEdge
https://github.com/advisories/GHSA-x938-fvfw-7jh5
21/6-2022
ArgoCD
Insecure entropy in Argo CD's PKCE/Oauth2/OIDC params
High
ID:
CVE-2022-31034
Published:
21/6-2022
Project:
ArgoCD
https://github.com/advisories/GHSA-2m7h-86qq-fp4v
21/6-2022
ArgoCD
Argo CD's external URLs for Deployments can include JavaScript
Critical
ID:
CVE-2022-31035
Published:
21/6-2022
Project:
ArgoCD
https://github.com/advisories/GHSA-h4w9-6x78-8vrj
21/6-2022
ArgoCD
Symlink following allows leaking out-of-bounds YAML files from Argo CD repo-server
Moderate
ID:
CVE-2022-31036
Published:
21/6-2022
Project:
ArgoCD
https://github.com/advisories/GHSA-q4w5-4gq2-98vm
21/6-2022
ArgoCD
DoS through large manifest files in Argo CD
Moderate
ID:
CVE-2022-31016
Published:
21/6-2022
Project:
ArgoCD
https://github.com/advisories/GHSA-jhqp-vf4w-rpwq
6/6-2022
cri-o
Node DOS by way of memory exhaustion through ExecSync request in CRI-O
High
ID:
CVE-2022-1708
Published:
6/6-2022
Project:
cri-o
https://github.com/advisories/GHSA-fcm2-6c3h-pg6j
6/6-2022
containerd
containerd CRI plugin: Host memory exhaustion through ExecSync
Moderate
ID:
CVE-2022-31030
Published:
6/6-2022
Project:
containerd
https://github.com/advisories/GHSA-5ffw-gxpp-mxpf
11/11-2021
FluxCD kustomize-controller
Privilege escalation to cluster admin on multi-tenant environments
High
ID:
CVE-2021-41254
Published:
11/11-2021
Project:
FluxCD kustomize-controller
https://github.com/advisories/GHSA-35rf-v2jv-gfg7