Public talks

• Finding vulnerabilities at scale in Jenkins plugins using CodeQL @ BSides Barcelona 2024
• To the Upside Down and back: Destapando CVEs en aplicaciones Android desde dos mundos @ Navaja Negra X Edition (in Spanish)
• Find vulnerable Kotlin apps while testing CodeQL @ GitHub Universe 2022
• Security as Code: A DevSecOps Approach @ SpringOne 2021

Advisories

• CVE-2024-35181, CVE-2024-35182 (SQL injection in Meshery)
• CVE-2024-31450 (Arbitrary file deletion in Owncast)
• CVE-2024-29031 (SQL injection in Meshery)
• CVE-2023-41898 (Arbitrary URL load in Android WebView in Home Assistant Companion for Android)
• CVE-2023-45146 (Unsafe deserialization in XXL-RPC)
• CVE-2023-42809 (Unsafe deserialization in Redisson)
• CVE-2023-41937 (SSRF in Bitbucket Push and Pull Request Jenkins Plugin)
• CVE-2023-37960 (Arbitrary file read in Jenkins MathWorks Polyspace Plugin)
• CVE-2023-37942 (XXE in Jenkins External Monitor Job Plugin)
• CVE-2023-37471 (SAML signature validation bypass in OpenAM)
• CVE-2023-36480 (Unsafe deserialization in Aerospike Java client)
• CVE-2023-35947 (Arbitrary file read/write during TAR extraction in Gradle)
• CVE-2023-35147 (Unauthenticated arbitrary file read in AWS CodeCommit Trigger Jenkins Plugin)
• CVE-2023-33188 (Insufficient path validation in Omni-Notes Android App)
• CVE-2023-32991, CVE-2023-32992 (XXE and SSRF in SAML SSO Jenkins Plugin)
• CVE-2023-32986 (Arbitrary file write in File Parameters Jenkins Plugin)
• CVE-2023-32985 (Information disclosure in Sidebar Link Plug-in for Jenkins)
• CVE-2023-32981 (ZipSlip in Jenkins Pipeline Utility Steps Plugin)
• CVE-2023-24804 (Insufficient path validation in ownCloud Android app)
• CVE-2023-23948 (SQL injection in ownCloud Android app)
• CVE-2022-39349 (Arbitrary file read in Tasks.org Android app)
• GHSL-2022-046 (Intent URI permissions manipulation in WordPress for Android)
• GHSL-2022-024 (ReDoS in the Azure SDK for Java)
• GHSL-2022-023 (ReDoS in Apache Ignite)
• CVE-2022-31781 (ReDoS in Apache Tapestry)
• CVE-2022-30126, CVE-2022-33879 (ReDoS in Apache Tika)
• CVE-2022-29158 (ReDoS in Apache OFBiz)
• GHSL-2021-1054 and GHSL-2021-1055 (Unsafe deserialization in Log4j2 2.15.0)
• CVE-2021-43863 (SQL injection in Nextcloud for Android)
• CVE-2021-41256 (Intent URI permissions manipulation in Nextcloud News for Android)
• CVE-2021-41166 (Permission bypass in Nextcloud for Android)
• CVE-2021-32651 (LDAP injection in OneDev)
• CVE-2021-30005 (Local code execution in PyCharm)