had nothing to do with arbitrary code execution , but was rather an issue discoveredVulnerability-related.DiscoverVulnerabilityby the Jenkins security team that allowed a small subset of existing Jenkins code to be invoked by a remote client , ” Daniel Beck , Jenkins security officer , told The Daily Swig in an email . “ While the known impact is pretty limited , we felt that the layer at which the vulnerability existed , and its potential warranted a higher score. ” These potential attacks include unauthenticated users being able to invalidate sessions when running with the built-in server , and users with overall/read permissions being able to create new user objects in memory . The advisory reads : “ Given the vast potential attack surface , we fully expect other attacks , that we are not currently aware of , to be possible on Jenkins releases that do not have this fix appliedVulnerability-related.PatchVulnerability. “ This is reflected in the high score we assignedVulnerability-related.DiscoverVulnerabilityto this issue , rather than limiting the score to the impact through known issues. ” Beck added : “ Jenkins users should always keep their instances up to date . In this case , we releasedVulnerability-related.PatchVulnerabilityupdates for two LTS lines simultaneously for the first time , so admins could applyVulnerability-related.PatchVulnerabilitythe update without having to go through a major version jump . “ We strive to fixVulnerability-related.PatchVulnerabilityall security vulnerabilities in Jenkins and plugins in a timely manner. ” Reflection is also used by Apache Struts , via the OGNL library . Struts has sufferedVulnerability-related.DiscoverVulnerabilitya number of serious security flaws in recent years . In 2017 , a vulnerability in the framework was exploitedVulnerability-related.DiscoverVulnerabilityto exposeAttack.Databreachthe details of up to 148 million Equifax customers . Another flaw , revealedVulnerability-related.DiscoverVulnerabilityin August 2018 , could lead to remote code execution . These issues underline the dangers of using reflection with untrusted data , and application architects would do well to avoid this unsafe practice .
Ciphr , a company which offers encrypted communications for BlackBerry 10 and Samsung Knox smartphones , claims that a rival firm are behind a data dumpAttack.Databreachof its customers ' email addresses and their device 's IMEI numbers . A website displaying the alleged leaked data claims that `` all Ciphr emails/servers have been compromisedAttack.Databreach. '' Two sources that use Ciphr on their phones told Motherboard the leakAttack.Databreachincludes their information as well as the data of other users . Specifically , the website lists users ' email addresses and IMEI numbers , data which law enforcement can leverage to exposeAttack.Databreacha user . In a message provided to Motherboard from one of its sources , the privacy platform says the data dumpAttack.Databreachwas not the result of a data breachAttack.Databreach. Instead Ciphr blames a rival company for the incident : `` Our rapid growth has caught the attention of competitors seeking to slow us down by way of slander , blocking and DDOS [ distributed denial of service attacks ] .... We were shocked that any company in this industry would release information to the public under any circumstance . '' Ciphr 's management explains in a blog post that a rogue reseller who was granted access to its sales systems gave the information to SkySecure , which makes custom Blackberry devices . The company goes on to note that most of the information included in the data dumpAttack.Databreachwas already expired . But it does say a few active users ' email addresses and IMEI numbers were included in the leakAttack.Databreach.