> this attack shows how a relatively unknown component
why just this one? do we collectively have the memory of a gold fish? just recently, log4j had a similar blast radius. is it because one was seemingly malicious that the other doesn't count?
While blast radius of both is large, there are major differences between them. Log4J was a largely app-level vulnerability affecting Java-based systems.
This vulnerability, had all gone to the attackers plan, would have been present on the major distros next major releases through a key infrastructure component which would have been installed far more widely, IMO.
Another major difference is that Log4J is already part of the Apache Foundation, which means it should have greater oversight/security maintenance anyway, while this is an attack against a solo developer.
It's definitely not to downplay the severity of the Log4J incident, by any means. But they are decidedly different.
why just this one? do we collectively have the memory of a gold fish? just recently, log4j had a similar blast radius. is it because one was seemingly malicious that the other doesn't count?