SWAMP Security Notification: Vulnerability in SWAMP Plug-ins and Library
Dear SWAMP Users,
A MODERATE security vulnerability was discovered that affects the following versions (and earlier) of the SWAMP plug-ins and libraries on shared systems. Users who are not using any of the following plug-ins or libraries are not affected by this vulnerability.
IMPACTED VERSIONS
- swamp-scms-plugin 1.3.4 and earlier
- swamp-eclipse-plugin 1.1.0 and earlier
- swamp-jenkins-plugin 1.1.1 and earlier
- java-cli 1.4.1 and earlier
WHAT IS THE VULNERABILITY
When a vulnerable version of the software is run on a host by a user, it is possible for an attacker with an account on the same host to impersonate the user’s SWAMP identity and gain access to their SWAMP account. For each successful attack, the attacker will be able to impersonate the user for a maximum time period of two days.
WHAT YOU SHOULD DO
SWAMP users using affected plugins and libraries are recommended to update to the most current versions as soon as possible if they have not done so already. The vulnerability is remediated in the following versions or later:
- swamp-scms-plugin 1.3.5
The latest version can be downloaded from https://github.com/mirswamp/swamp-scms-plugin/releases/tag/releases%2F1.3.5. Update instructions can found at https://github.com/mirswamp/swamp-scms-plugin. - swamp-eclipse-plugin 1.1.1
The latest version can be downloaded and installed directly from within Eclipse. Update instructions can found at https://github.com/mirswamp/swamp-eclipse-plugin. - swamp-jenkins-plugin 1.1.2
The latest version can be downloaded and installed directly from within Jenkins. Update instructions can found at https://github.com/mirswamp/swamp-jenkins-plugin. - java-cli 1.4.2
The latest version of the .jar file and source code can be downloaded from https://github.com/mirswamp/java-cli/releases/releases%2F1.4.2.
Please contact SWAMP staff if you have any questions or concerns at support@continuousassurance.org.