이상 젠킨스 '플러그인의 hounded에서 취약점을 발견

젠킨스의 소프트웨어에 의해 중단 통합의 개방 악기 플러그인의 큰 숫자는 다른 버그와 취약점을 포함.

Vulnerabilities mainly connected with storing of passwords in non-encrypted form. 또한, 젠킨스 '소프트에서 발견 CSRF-공격을 자격 증명을 steaking 및 투입을 허용 CSRF-버그.

빅토르 리치, specialist of NCC Group that tested great number of Jenkins’ plugins, 이러한 문제를 밝혀.

These tests resulted in more than 100 plugins found vulnerable and several coordinated and responsible public disclosures”, — reports researcher.

As expert explained, though Jenkins encrypts passwords in credentials.xml file, some developers use other methods of data storage. In the majority of cases these decisions do not suggest are encryption. 그 위에, some web-forms, where users input credentials, enable leakage of passwords or secret tokens.

Web form shows no sign of clear text password
Web form shows no sign of clear text password

CSRF-vulnerabilities are connected with plugins’ functions, with the use of which users can check credentials and connect to a server. They mostly exist, as developers do not apply POST-requests that prevent attacks with the use of CSRF token.

In the last two years, Jenkins developers released several notifications that describe vulnerabilities in different plugins, including series of bugs, discovered by Gazdag.

Vulnerable plugins interact with a wide circle of services, ...을 포함하여 지저귀다, AWS, VMwareAzure. In most cases software was created by side developers that is not connected to vendor, whose software exploits plugin.

언급 한 바와 같이, authors of several plugins have already fixed bugs in their software, though many are still vulnerable. In their turn, Jenkins developers published a vast list of plugins that still are not fixed.

젠킨스 — is an open source tool supporting building, deploying and automating software development and delivery, and can be extended by plugins to introduce additional functionalities like Active Directory authentication, or solve reoccurring tasks such as executing a static code analyser or copying a compiled software to a CIFS share. Similar to WordPress, the core framework is extended by hundreds of plugins; where most of these plugins are developed by 3rd party developers and it is up to them how securely they write them.

출처: https://www.nccgroup.trust

트로이 킬러 소개

메모리 스틱에 트로이 킬러 휴대용 운반. 당신은 당신이 어디를 가든 당신의 PC가 어떤 사이버 위협에 저항 도울 수 있는지 확인하십시오.

또한 확인

Heroku가 클라우드 플랫폼에 MageCart

연구진은 여러 MageCart 웹 스키머에 Heroku가 클라우드 플랫폼 발견

Malwarebytes 연구원은 Heroku가 클라우드 플랫폼에서 여러 MageCart 웹 스키머를 찾는 것에 대해보고 …

안드로이드 스파이웨어 CallerSpy

안드로이드 채팅 응용 프로그램으로 CallerSpy 스파이웨어 마스크

트렌드 마이크로의 전문가들은 악성 코드 CallerSpy 발견, 안드로이드 채팅 응용 프로그램으로하는 마스크와, …

회신을 남겨주