#zero_day

A session fixation vulnerability in Jenkins Gitlab Authentication Plugin 1.4 and earlier in GitLabSecurityRealm.java allows unauthorized attackers to impersonate another user if they can control the pre-authentication session.

Earlier today we announced MSRC’s 2018-2019 Most Valuable Security Researchers at Black Hat. The following 75 researchers hail from all corners of the world and possess varied experience and skills, yet all of them have contributed to securing the Microsoft’s customers and the broader ecosystem. For over a decade, one of Microsoft’s partners in vulnerability research and disclosure has been Trend Micro’s Zero Day Initiative.

Earlier today we announced MSRC’s 2018-2019 Most Valuable Security Researchers at Black Hat. The following 75 researchers hail from all corners of the world and possess varied experience and skills, yet all of them have contributed to securing the Microsoft’s customers and the broader ecosystem. For over a decade, one of Microsoft’s partners in vulnerability research and disclosure has been Trend Micro’s Zero Day Initiative.

Jenkins Configuration as Code Plugin 1.24 and earlier did not properly apply masking to values expected to be hidden when logging the configuration being applied.

Jenkins Google Kubernetes Engine Plugin 0.6.2 and earlier created a temporary file containing a temporary access token in the project workspace, where it could be accessed by users with Job/Read permission.

A stored cross site scripting vulnerability in Jenkins Maven Release Plugin 0.14.0 and earlier allowed attackers to inject arbitrary HTML and JavaScript in the plugin-provided web pages in Jenkins.

A cross-site request forgery vulnerability in Jenkins Maven Release Plugin 0.14.0 and earlier in the M2ReleaseAction#doSubmit method allowed attackers to perform releases with attacker-specified options.

We’re getting close to Black Hat, and we hope to see you there. Here’s where you can find members of the Microsoft Security Response Center if you’d like to say hello, ask a question about a report you made, discuss a recent blog article, or just show us pictures of your dog.

We deeply appreciate the partnership of the many talented security researchers who report vulnerabilities to Microsoft through Coordinated Vulnerability Disclosure. We pay bounties for research in key areas, and each year at Black Hat USA, we’ve recognized the most impactful researchers helping to protect the ecosystem. That’s not changing; we’re continuing to expand our bounty programs and will continue to recognize researchers with the greatest impact on the security ecosystem.

Today we announce the top organizational candidates for Vulnerability Top Contributors, Threat Indicator Top Submitters, and Zero-Day Top Reporting for the period of July 1, 2018 – June 30, 2019. The Microsoft Active Protections Program provides security and protection to customers through cooperation and collaboration with industry leading partners. This bi-directional sharing program of threat and vulnerability data has proven instrumental to help prevent broad attacks and quickly resolve security vulnerabilities in Microsoft products and services.