The content is a blog post by Mohamed AboElKheir from the series “Lessons Learned”, focusing on real-world vulnerabilities from an application security engineer’s perspective, with an emphasis on root causes and prevention measures. The first installment discusses a vulnerability in Metabase, an open-source business intelligence tool, identified as CVE-2023-38646, which allowed for pre-authentication remote code execution. This issue occurred because a developer removed the code that cleared a setup token after initialization, and it went unnoticed during the code review, making the token accessible to attackers. Additionally, an SQL injection vulnerability was found due to the H2 database driver’s 0-day flaw. The post suggests threat modeling, security tests, avoiding complex inputs, and input validation as preventive measures. The article highlights the importance of robust security practices and thorough testing to mitigate such vulnerabilities.
Go here to read the Original Post