Category Archives: Application Development

Application Development, Potential Risk of CVE

CVE-2025-54419: Design weakness in version 5[.]0[.]1, Node-SAML (30th July 2025)

Leave a comment

Preface: SSO isn’t completely secure; in fact, it depends on the design of the entire system. This month, a YouTuber, known for his camera skills, posted a video about his experience, which resulted in him losing all his miles redeemed in February 2025. He contacted airline customer service, but received no reasonable response. The airline strictly adhered to SSO certification regulations. The truth later came to light this month (July 2025).

Background: node-saml is a specific library for implementing SAML 2.0 authentication in Node.js applications. The node-saml is designed for Node.js, meaning its API and integration patterns are tailored for the JavaScript ecosystem. Other SAML libraries exist for different programming languages (e.g., Java, Python, .NET), each with its own conventions and dependencies.

A SAML response or assertion signed with the Identity Provider’s (IdP) private key is considered a validly signed document. This digital signature ensures the integrity and authenticity of the SAML message, confirming it hasn’t been tampered with and originates from a trusted IdP.

SAML relies on digital signatures to ensure the integrity and authenticity of messages exchanged between the Identity Provider (IdP) and the Service Provider (SP). The IdP digitally signs SAML responses and assertions using its private key. The SP then uses the corresponding public key (obtained from the IdP’s signing certificate) to verify the signature, ensuring the message hasn’t been tampered with and originates from a trusted IdP.

Vulnerability details: A SAML library not dependent on any frameworks that runs in Node. In version 5.0.1, Node-SAML loads the assertion from the (unsigned) original response document. This is different than the parts that are verified when checking signature. This allows an attacker to modify authentication details within a valid SAML assertion. For example, in one attack it is possible to remove any character from the SAML assertion username. To conduct the attack an attacker would need a validly signed document from the identity provider (IdP). This is fixed in version 5.1.0.

Official announcement: Please refer to the link for details – https://www.tenable.com/cve/CVE-2025-54419

Application Development, Potential Risk of CVE

CVE-2025-3305: code projects IKUN_Library – Improper access control and incorrect privilege  assignment (6th Apr 2025)

Leave a comment

Preface: Investment bank use Spring Boot for developing microservices and REST APIs. Hospitality utilizes Spring Boot for various backend services. Automotive company Uses Spring Boot for configuration management and service discovery.

Background: IKUN_Library 1.0 is a library management system developed using SpringBoot and MyBatis. It provides functionalities for managing books, readers, and borrowing records. The system includes features like:

  • Basic CRUD operations (Create, Read, Update, Delete)
  • Login validation with interceptors
  • RESTful API for interface design
  • Database management using MySQL

Spring Boot is a popular framework that can be used to build a wide variety of Java applications, including: Web applications: Spring Boot is commonly used to build web applications, including REST APIs, web services, and MVC-based applications.

Vulnerability details: A vulnerability has been found in 1902756969/code-projects IKUN_Library 1.0 and classified as problematic. This vulnerability affects the function addInterceptors of the file MvcConfig[.]java of the component Borrow Handler. The manipulation leads to improper access controls. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

Official announcement: Please refer to the official announcement for details – https://nvd.nist.gov/vuln/detail/CVE-2025-3305

Application Development, Cell Phone (iPhone, Android, windows mobile), Potential Risk of CVE

CVE-2025-0098 : Prevent activity token leaked to another process (3rd Feb 2025)

Leave a comment

Preface: Android frameworks deliver an environment where you already have access to libraries, best practices, and extensive help documentation. As a matter of fact, there are well over ten android frameworks.

Background: TaskFragmentOrganizerController[.]java is a part of the Android Open Source Project (AOSP). It is located in the services/core/java/com/android/server/wm directory of the Android framework. This file is responsible for managing the organization and lifecycle of task fragments within the Android window management system.

The TaskFragmentOrganizerController works closely with the TaskFragmentOrganizer class, which provides an interface for controlling task fragments. These task fragments allow for more flexible and dynamic UI layouts by enabling parts of an activity to be managed independently.

In the context of TaskFragmentOrganizerController[.]java, a token typically refers to an identifier used to manage and track task fragments within the Android window management system. These tokens are often used to ensure that operations on task fragments are performed securely and correctly.

For example, a temporary token might be generated to allow an organizer to reparent an activity through a WindowContainerTransaction. This helps maintain the integrity and security of the task fragments being managed.

Remark: WindowContainerTransaction represents a collection of operations on some WindowContainer that should be applied at once.

Vulnerability details: Malicious app could register the organizer via one-way binder call to disguise as running on pid 0.

Official announcement: Please refer to the link for details – https://source.android.com/docs/security/bulletin/2025-02-01

AI and ML, Application Development

Pushing open source development concept into space (27th Dec 2024)

Leave a comment

Preface: We live in a three-dimensional world. We move in space, left or right, forward or backward, up or down. Furthermore, living things do not live forever. Hardware and software also have life cycles. Human beings seem to be destined to live on earth. There are eight planets in the solar system that are not suitable for human survival. Rockets travel through the atmosphere to explore space. The time required is unknown, and there is no absolute answer to whether the target will be found. In space, the unit of distance is light years. From one planet to another. It requires at least a lifetime of human dedication. I assume that the AI ​​collects all existing data collected by SpaceX for analysis, and if the AI ​​cannot completely open the secret door of the Einstein-Rosen Bridge (for time travel), maybe he will stay on Earth.

Technical focus: For computers to survive in space, they must be hardened — made of resilient materials and designed to withstand high doses of radiation. But to make a computer fit for space takes years. Satellite manufacturers therefore often have to make do with rather obsolete processors.

About software development: Java has become one of the most widely used programming languages across various industries, including space exploration. At NASA, Java is used for developing highly interactive systems, mission-critical software, and user interfaces that support space operations.

Ref: Java Pathfinder (JPF) is a model checker for Java. The technology takes a Java program and “executes” it in a way that explores all possible executions/interleavings of the threads in the program. This allows JPF to detect certain bugs (e.g., deadlocks and assertion violations) that may be missed during testing.

About the topic: Antmicro & AetheroSpace launched  Zephyr IoT into space in SpaceX’s. Aethero has recently announced a groundbreaking collaboration with Antmicro, a leading technology company specializing in open source tools, to develop cutting-edge edge AI hardware tailored for space applications.

Antmicro played a crucial role in providing the software foundation for the NxN Edge Computing Module, contributing both Linux and Zephyr RTOS software for controlling the payload. Additionally, Antmicro implemented their open source RDFM framework, enabling modular, configurable, multi-OS device OTA updates and fleet management through Aethero’s user portal.

For details about Antmicro, please refer to link below: https://hardwarebee.com/electronic-breaking-news/aethero-and-antmicro-collaborate-on-open-source-space-edge-ai-design/

AI and ML, Application Development

Are you still a fan of Nvidia? Or do you support AMD now? (23rd Dec 2024)

Leave a comment

Preface: In the zone artificial intelligence (AI), NVIDIA and AMD are leading the way, pushing the limits of computing power. Both companies have launched powerful AI chips, but the comparison between the H100 and MI250X raises the question of superiority.

Background: What is AMD Instinct MI250X? AMD Instinct™ MI250X Series accelerators are uniquely suited to power even the most demanding AI and HPC workloads, delivering exceptional compute performance, massive memory density, high-bandwidth memory, and support for specialised data formats.

AMD now has more computing power than Nvidia in the Top500. Five systems use AMD processors (El Capitan, Frontier, HPC6, LUMI, and Tuolumne) while three systems use Intel (Aurora, Eagle, Leonardo).

Software Stack: ROCm offers a suite of optimizations for AI workloads from large language models (LLMs) to image and video detection and recognition, life sciences and drug discovery, autonomous driving, robotics, and more. ROCm supports the broader AI software ecosystem, including open frameworks, models, and tools.

HIP is a thin API with little or no performance impact over coding directly in NVIDIA CUDA or AMD ROCm.

HIP enables coding in a single-source C++ programming language including features such as templates, C++11 lambdas, classes, namespaces, and more.

Developers can specialize for the platform (CUDA or ROCm) to tune for performance or handle tricky cases.

Ref:  What is the difference between ROCm and hip?

ROCm™ is AMD’s open source software platform for GPU-accelerated high performance computing and machine learning. HIP is ROCm’s C++ dialect designed to ease conversion of CUDA applications to portable C++ code.

Official article: Please refer to the link for details

https://www.amd.com/en/products/accelerators/instinct/mi200/mi250x.html

AI and ML, Application Development, Potential Risk of CVE

CVE-2024-0132: About NVIDIA Container Toolkit 1.16.1 or earlier contains a Time-of-check Time-of-Use (TOCTOU) vulnerability (25th Sep 2024)

Leave a comment

Preface: In software development, time-of-check to time-of-use (TOCTOU, TOCTTOU or TOC/TOU) is a class of software bugs caused by a race condition involving the checking of the state of a part of a system (such as a security credential) and the use of the results of that check.

Background: The NVIDIA container stack is architected so that it can be targeted to support any container runtime in the ecosystem. The components of the stack include:

-The NVIDIA Container Runtime (nvidia-container-runtime)

-The NVIDIA Container Runtime Hook (nvidia-container-toolkit / nvidia-container-runtime-hook)

-The NVIDIA Container Library and CLI (libnvidia-container1, nvidia-container-cli)

The components of the NVIDIA container stack are packaged as the NVIDIA Container Toolkit.

The NVIDIA Container Toolkit is a key component in enabling Docker containers to leverage the raw power of NVIDIA GPUs. This toolkit allows for the integration of GPU resources into your Docker containers.

Vulnerability details: NVIDIA Container Toolkit 1.16.1 or earlier contains a Time-of-check Time-of-Use (TOCTOU) vulnerability when used with default configuration where a specifically crafted container image may gain access to the host file system. This does not impact use cases where CDI is used. A successful exploit of this vulnerability may lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering.

Official announcement: Please refer to the vendor announcement for details – https://nvidia.custhelp.com/app/answers/detail/a_id/5582

Application Development, IoT, Potential Risk of CVE

CVE-2024-34731: last week CVEs, today story. (29th Aug 2024)

Leave a comment

Preface: A race condition vulnerability is a software bug that allows these unexpected results to be exploited by malicious entities.

The Race condition is a privilege escalation vulnerability that manipulates the time between imposing a security control and using services in a UNIX like system. This vulnerability is a result of interferences caused by multiple sequential threads running in the system and sharing the same resources.

Background: TranscodingResourcePolicy is a component of the Android platform/frameworks/av package that manages resource policies for transcoding operations. Transcoding is the process of converting media files from one format to another.

Vulnerability details: In multiple functions of TranscodingResourcePolicy.cpp, there is a possible memory corruption due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Official announcement: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2024-34731

Application Development, Potential Risk of CVE

RHSA-2024-4982 -Security Advisory- OpenShift API for Data Protection (OADP) – Security Fix – golang: net/netip – CVE-2024-24790 (2nd Aug 2024)

Leave a comment

Preface: The IPv4-mapped IPv6 address format allows the IPv4 address of an IPv4 node to be represented as an IPv6 address. The IPv4 address is encoded into the low-order 32 bits of the IPv6 address, and the high-order 96 bits hold the fixed prefix 0:0:0:0:0:FFFF.

Background: OpenShift API for Data Protection (OADP) enables you to back up and restore application resources, persistent volume data, and internal container images to external backup storage. OADP enables both file system-based and snapshot-based backups for persistent volumes.

Package netip defines an IP address type that’s a small value type. Building on that Addr type, the package also defines AddrPort (an IP address and a port) and Prefix (an IP address and a bit length prefix).

Compared to the net.IP type, Addr type takes less memory, is immutable, and is comparable (supports == and being a map key).

Vulnerability details: OpenShift API for Data Protection (OADP) enables you to back up and restore application resources, persistent volume data, and internal container images to external backup storage. OADP enables both file system-based and snapshot-based backups for persistent volumes.

Security Fixes from Bugzilla: golang: net/netip: Unexpected behavior from Is methods for IPv4-mapped IPv6 addresses (CVE-2024-24790)

Official announcement: Please refer to the website for details – https://access.redhat.com/errata/RHSA-2024:4982

AI and ML, Application Development, Potential Risk of CVE

Regarding CVE-2024-0108: The manufacturer did not describe much. Is the situation below exactly what CVE mentioned? (25/07/2024)

Leave a comment

Preface: What is an example of autonomous AI?

Autonomous intelligence is artificial intelligence (AI) that can act without human intervention, input, or direct supervision. It’s considered the most advanced type of artificial intelligence. Examples may include smart manufacturing robots, self-driving cars, or care robots for the elderly.

Background: What is Jetson AGX Xavier used for?

As the world’s first computer designed specifically for autonomous machines, Jetson AGX Xavier has the performance to handle the visual odometry, sensor fusion, localization and mapping, obstacle detection, and path-planning algorithms that are critical to next-generation robots.

Vulnerability details: NVIDIA Jetson Linux contains a vulnerability in NvGPU where error handling paths in GPU MMU mapping code fail to clean up a failed mapping attempt. A successful exploit of this vulnerability may lead to denial of service, code execution, and escalation of privileges.

Official announcement: Please refer to the official announcement for details – https://nvidia.custhelp.com/app/answers/detail/a_id/5555

AI and ML, Application Development, Potential Risk of CVE

CVE-2024-6960: H2O Model Deserialization RCE (21st July 2024)

Leave a comment

Preface: TensorFlow provides a flexible framework for deep learning tasks, but may not be as optimized as H2O for handling large datasets.

Background: H2O uses Iced classes as the primary means of moving Java Objects around the cluster.

Auto-serializer base-class using a delegator pattern (the faster option is to byte-code gen directly in all Iced classes, but this requires all Iced classes go through a ClassLoader).

Iced is a marker class, and Freezable is the companion marker interface. Marked classes have 2-byte integer type associated with them, and an auto-genned delegate class created to actually do byte-stream and JSON serialization and deserialization. Byte-stream serialization is extremely dense (includes various compressions), and typically memory-bandwidth bound to generate.

Vulnerability details: The H2O machine learning platform uses “Iced” classes as the primary means of moving Java Objects around the cluster. The Iced format supports inclusion of serialized Java objects. When a model is deserialized, any class is allowed to be deserialized (no class whitelist). An attacker can construct a crafted Iced model that uses Java gadgets and leads to arbitrary code execution when imported to the H2O platform.

Official announcement: Please refer to the official announcement for details – https://nvd.nist.gov/vuln/detail/CVE-2024-6960