Design/Logic Flaw

Jenkins Chaos Monkey Plugin 0.4 and earlier does not perform permission checks in an HTTP endpoint, allowing attackers with Overall/Read permission to access the Chaos Monkey page and to see the history of actions...

CVE-2020-2323

Summary: Jenkins Chaos Monkey Plugin 0.4 and earlier lacks permission checks on an HTTP endpoint. This allows attackers with Overall/Read to access the Chaos Monkey page and view action history. Mitigation: Upgrade to version 0.4.1 or later, which requires Overall/Administer permission to access ...

CVE-2020-2323

Jenkins Chaos Monkey Plugin 0.4 and earlier does not perform permission checks in an HTTP endpoint, allowing attackers with Overall/Read permission to access the Chaos Monkey page and to see the history of actions...

CVE-2020-2322

Jenkins Chaos Monkey Plugin 0.3 and earlier does not perform permission checks in several HTTP endpoints, allowing attackers with Overall/Read permission to generate load and to generate memory leaks...

CVE-2020-2322

Affected software : Jenkins Chaos Monkey Plugin (versions 0.3 and earlier). Root cause : several HTTP endpoints do not perform permission checks. Impact : enables attackers with Overall/Read permission to generate load and memory leaks. Evidence : CVE-2020-2322 and connected advisories describe t...

Cloudbees Jenkins 授权问题漏洞

Cloudbees Jenkins Hudson Labs is the United States CloudBees Cloudbees company a set of Java-based development of continuous integration tools . The product is mainly used to monitor the continuous software version release/testing project and some timed tasks . A security vulnerability exists in...

PT-2020-15556 · Jenkins · Jenkins Chaos Monkey Plugin

Name of the Vulnerable Software and Affected Versions: Jenkins Chaos Monkey Plugin versions 0.3 and earlier Description: The issue concerns the Jenkins Chaos Monkey Plugin, where several HTTP endpoints do not perform permission checks. This allows attackers with Overall/Read permission to generat...

PT-2020-15557 · Jenkins · Jenkins Chaos Monkey Plugin

Name of the Vulnerable Software and Affected Versions: Jenkins Chaos Monkey Plugin versions 0.4 and earlier Description: The issue allows attackers with Overall/Read permission to access the Chaos Monkey page and see the history of actions due to a lack of permission checks in an HTTP endpoint...

Cloudbees Jenkins 授权问题漏洞

Cloudbees Jenkins Hudson Labs is the United States CloudBees company's set of Java-based development of continuous integration tools. The product is mainly used to monitor the continuous software version of the release/test project and some timed tasks . CVS Plugin is used in one of the CVS versi...

monkey-r.com Cross Site Scripting vulnerability OBB-1440080

Following coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: &nbsp&nbsp&nbsp&nbsp&nbsp&nbspa. verified the vulnerability and confirmed its existence; &nbsp&nbsp&nbsp&nbsp&nbsp&nbspb. notified the website operator about its existence...

Possible timing attack in derivation_endpoint

Impact When using the derivationendpoint plugin, it's possible for the attacker to use a timing attack to guess the signature of the derivation URL. Patches The problem has been fixed by comparing sent and calculated signature in constant time, using Rack::Utils.securecompare. Users using the...

GHSA-5JJV-X4FQ-QJWP Possible timing attack in derivation_endpoint

Impact When using the derivationendpoint plugin, it's possible for the attacker to use a timing attack to guess the signature of the derivation URL. Patches The problem has been fixed by comparing sent and calculated signature in constant time, using Rack::Utils.securecompare. Users using the...

Possible timing attack in derivation_endpoint

Impact When using the derivationendpoint plugin, it's possible for the attacker to use a timing attack to guess the signature of the derivation URL. Patches The problem has been fixed by comparing sent and calculated signature in constant time, using Rack::Utils.securecompare. Users using the...

UPDATE: Infection Monkey 1.9.0

Infection Monkey 1.9.0, the open source breach and attack simulation tool was released a few hours ago - just in time for BlackHat/DefCon 2020. My first post about this tool can be found in a post titled the List of Adversary Emulation Tools. Updates include an expanded list of MITRE ATT&CK...

UPDATE: Infection Monkey 1.8.2

Infection Monkey 1.8.2, the open source breach and attack simulation tool was released a yesterday. My first post about this tool can be found in a post titled the List of Adversary Emulation Tools. To keep it simple from the last update, this is a small maintenance release. It includes some bug...

UPDATE: Infection Monkey 1.8.0

Infection Monkey 1.8.0 was released a while ago. My first post about this tool can be found in a post titled the List of Adversary Emulation Tools. This is a big, exciting release, which enhances the Monkey’s capabilities. The Monkey now maps its actions to the MITRE ATT knowledge base and as...

Malicious Package

Overview spider-monkey is a malicious package. Affected versions of this package were found to be a Malicious Package, as it utilised typosquatting to run Malicious 3rd party scripts. It replaced genuine packages using an and replaced it with - and vice versa Remediation Avoid using spider-monkey...

Cross site scripting vulnerability in ActionView

There is a possible cross site scripting XSS vulnerability in ActionView's JavaScript literal escape helpers. Views that use the j or escapejavascript methods may be susceptible to XSS attacks. Impact There is a possible XSS vulnerability in the j and escapejavascript methods in ActionView. These...

GHSA-65CV-R6X7-79HV Cross site scripting vulnerability in ActionView

There is a possible cross site scripting XSS vulnerability in ActionView's JavaScript literal escape helpers. Views that use the j or escapejavascript methods may be susceptible to XSS attacks. Impact There is a possible XSS vulnerability in the j and escapejavascript methods in ActionView. These...

UPDATE: Infection Monkey 1.7.0

Infection Monkey 1.7.0 was released a while ago. My first post about this tool can be found in a post titled the List of Adversary Emulation Tools. This is a big, exciting release, with a ton of new features and improvements and as always, this post will list down the changes for this version. Wh...