Hi, welcome at j0vsec.com.

My name is Jordy Versmissen and I’m a software developer and security researcher. You can find some blog posts of my research, tips, etc. here. For more about me, check out the about page or my LinkedIn profile. If you have any questions, please feel free to contact me.


CVE-2021-43798 - Path traversal vulnerability in Grafana

In december 2021 I reported a so-called path traversal vulnerability in Grafana. With the vulnerability it is possible for an unauthenticated user to read files on the host. The CVE for the vulnerability is CVE-2021-43798, which has a CVSSv3 score of 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). I reported the vulnerability to Grafana on December 2nd and the team took action right away. As this was the first high vulnerability I discovered, I couldn’t control my excitement and posted a Tweet about the fact that I had found a path traversal vulnerability in Grafana.

CVE-2021-25738

In April 2021 I found a vulnerability in the Kubernetes Java Client. The Java client is using SnakeYAML, which is a very popular Java library to serialize and deserialize YAML. SnakeYAML has a feature to (de)serialize Java objects which can be used to execute arbitrary code. This feature is enabled by default. My finding in the Kubernetes Java client was registered by Kubernetes as CVE and the report on HackerOne got disclosed today.

Insecure deserialization

I wrote the following article about insecure deserialization for my employer Sqills. I’m a software developer and member of the internal Red Team. As Red Team member I test the security of our applications and try to hack our way in. Another goal of our team is to share knowledge about security with our colleagues. What is (de)serialization? We see serialization and deserialization a lot when we implement applications and services.

Firebase during bug bounty hunting

Firebase is a startup which was founded in 2011. In 2014 Google acquired Firebase and since then the feature set of Firebase has become bigger and bigger. It contains features and APIs like databases, remote configuration, serverless functions, hosting, authentication and even machine learning. All these functions are really simple to implement by using the SDKs which they provide in many programming languages. The number of organisations which are using Firebase in their software is also growing.

First post

Welcome at my brand new site. Currently, there’s not much here, but I’m working on some content. I want to publish some write-ups about my findings and security and development research here. So keep an eye open for further updates!