Hi, welcome at j0vsec.com.
My name is Jordy Versmissen and I’m a software developer and security researcher. You can find some blog posts of my research, tips, etc. here. For more about me, check out the about page or my LinkedIn profile. If you have any questions, please feel free to contact me.
CVE-2021-43798 - PATH TRAVERSAL VULNERABILITY IN GRAFANA
In december 2021 I reported a so-called path traversal vulnerability in Grafana. With the vulnerability it is possible for an unauthenticated user to read files on the host. The CVE for the vulnerability is CVE-2021-43798, which has a CVSSv3 score of 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). I reported the vulnerability to Grafana on December 2nd and the team took action right away. As this was the first high vulnerability I discovered, I couldn’t control my excitement and posted a Tweet about the fact that I had found a path traversal vulnerability in Grafana. After a few days I received notifications that other security researchers also found the vulnerability in Grafana’s code base and they published a proof-of-concept on GitHub and Twitter. With all good intentions I had placed the Grafana team in a bit of a stressful situation, so the fix got released on December 7th, a couple of days earlier than was planned. Lessons learned; never underestimate the power of social media and I have to control my excitement. Another learned lesson is the way Golang’s path.Clean method works and that you always have to read the documentation.
CVE-2021-25738
In April 2021 I found a vulnerability in the Kubernetes Java Client. The Java client is using SnakeYAML, which is a very popular Java library to serialize and deserialize YAML. SnakeYAML has a feature to (de)serialize Java objects which can be used to execute arbitrary code. This feature is enabled by default. My finding in the Kubernetes Java client was registered by Kubernetes as CVE and the report on HackerOne got disclosed today. I want to explain a bit more about this vulnerability.
INSECURE DESERIALIZATION
I wrote the following article about insecure deserialization for my employer Sqills. I’m a software developer and member of the internal Red Team. As Red Team member I test the security of our applications and try to hack our way in. Another goal of our team is to share knowledge about security with our colleagues. What is (de)serialization? We see serialization and deserialization a lot when we implement applications and services. Serialization is a way of converting data objects into a format which can be used to transfer the object. Some common known examples are YAML, XML and JSON but there are more ways to serialize data. When we serialize we transform our objects into a transferable format and during deserialization we transform the special format back into objects we can use in our software.
FIREBASE DURING BUG BOUNTY HUNTING
Firebase is a startup which was founded in 2011. In 2014 Google acquired Firebase and since then the feature set of Firebase has become bigger and bigger. It contains features and APIs like databases, remote configuration, serverless functions, hosting, authentication and even machine learning. All these functions are really simple to implement by using the SDKs which they provide in many programming languages. The number of organisations which are using Firebase in their software is also growing. According to Wappalyzer there are over 40.100 websites which are using Firebase. Most of the Android apps that I reverse engineered were also having references to Firebase features, most of them were using Firestore, which is a serverless NoSQL database, or implemented Firebase Authentication for easy single sign-on with third party providers.
FIRST POST
Welcome at my brand new site. Currently, there’s not much here, but I’m working on some content. I want to publish some write-ups about my findings and security and development research here. So keep an eye open for further updates!