Findings
This section is a collection of security findings I was involved in, either as part of my job, or as a simple user. Include, when possible, the story behind it.
| status² | description |
|---|---|
| Full disclosure | CVE-2022-22971 A very simple to trigger DOS on Spring websocket |
| Partial Disclosure | Some belgian e-shop site A not surprising but worrying security vulnerability on an eshop (version française) |
² status is one of the following:
-
Embargo:
Those findings have been discovered but are still under embargo. They are parked here before they go to the sections below. Description of issue is basic so that technics of attack and targeted service can not be infered. It will contain mainly a track of communication steps and targeted disclose date.
-
Partial disclosure
Those issues are being partially disclosed. It could be because the implied third party has agreed on partial disclosure. It could be because vulnerable services still exist and providing exploit would be dangerous or for whatever reason. Or it could be because I didn’t have time to write a full public explanation yet.
-
Full disclosure
I document all details about issue. How and where it was discovered, how communication went with the vendor. This could include exploit code, proof of reproducibility, workarounds and documents i sent to third party. I may feel like add some story blogs around them.