Bug Bytes #203 – CVSS 4.0, MOVEIt and How CI/CD Pipelines Go Wrong

By travisintigriti

June 14, 2023

Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The second series is curated by InsiderPhD. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.

This issue covers the weeks from May 29th to June 11th


Intigriti News

From my notebook

No real theme this week, here’s some of the most interesting stuff I read!

  1. Authentication Bypass Using Root Array – This is a deep dive into a #bugbountytips tweet diving in to the how and why of this authentication issue

  2. CSP Bypass Unveiled: The Hidden Threat of Bookmarklets – I LOVE bookmarklets they’re a combination of javascript and a bookmark to make dynamic bookmarks, anyway here’s bookmarklet malware

  3. Hacking AI: System Takeover in MLflow Strikes Again (And Again) – Good write up of an AI security bug!

  4. Common Vulnerability Scoring System – CVSS has been updated to version 4, here are the changes

  5. Casey Ellis: Pioneering The Bug Bounty Platform To Empower Ethical Hackers – Great podcast episode on the history of bug bounty hunting and a reminder of how dire disclosure used to be!

  6. Patch Diffing Progress MOVEIt Transfer RCE (CVE-2023-34362) – OKAY extra bonus for this week, analysing the patch notes to reverse engineer the MoveIt bug

You may also like