Headline
CVE-2022-40605: Release 4.1.0 · mitre/caldera
MITRE CALDERA before 4.1.0 allows XSS in the Operations tab and/or Debrief plugin via a crafted operation name, a different vulnerability than CVE-2022-40606.
What’s Changed****Bug Patches
- Fixed “Save + Add” button on “Add Ability” modal in adversaries page so it doesn’t result in an error. #2637
- Fixed a first-time startup error in the Atomic plugin resulting from a loop when parsing atomic abilities. #2657
- Fixed a bug in the Training plugin preventing the first manx flag from completing. #2638
- Fixed "(unexpected keyword argument ‘loop’)" error from the start_server call. #2625
Security Fixes
- Patched a XSS bug found in the Operations tab and Debrief plugin that took advantage of unsanitized input in an operation’s name field. #2644
- Disclosure reports coming soon, stay tuned
- Credit to Jayson Grace from Meta’s Purple Team for discovering this vulnerability
Operations Page
- Added “Operations Detail” modal on operation page that shows how the operation was configured at its start. #2558
- Tidied up row of buttons so they align better. #2615
Adversaries
(New!) “Everything Bagel” adversary: A collection of all CALDERA abilities ordered by ATT&CK tactic. Particularly useful when using the new advanced planners (see below) and want all abilities at the disposal of the planner.
(In progress) Added a missing ability to the “Worm” Adversary in the Stockpile plugin.
Planners
(New!) Look-Ahead Planner: A CALDERA planner that decides which abilities to execute based on expected future reward.
(New!) Guided Planner: A CALDERA planner which makes use of “distance to goals” in a dependency graph to select the optimal next action.
New Contributors
- @jt0dd made their first contribution in #2590
- @sgianvecchio made their first contribution in #2563
- @pierregi made their first contribution in #2577
- @djmartin41041 made their first contribution in #2649
- @Morpheme777 made their first contribution in #2642
Full Changelog: 4.0.0…4.1.0