January 13th-15th, 2020 will break over 21% of the industry’s Java build infrastructure. Six months since my initial article disclosing this industry-wide vulnerability, where are we now and what does the future hold?

A vulnerability in the Mac Zoom Client allows any malicious website to enable your camera without your permission. The flaw potentially exposes up to 750,000 companies around the world that use Zoom to conduct day-to-day business.

CVE-Numbers

UPDATE — July 9th (am)

UPDATE — July 9th (pm)

Hundreds of incredibly popular and widely deployed Java libraries & JVM compilers are still downloading their dependencies over HTTP with no integrity checking.

Enter Dilettante

Two security vulnerabilities in the Gradle Plugin Portal would have allowed any website to change the username, email & password of any logged in plugin author.

Clickjacking

Exploit allowed any Gradle Plugin on the Gradle Plugin Portal to have its artifact coordinates hijacked by a malicious actor.

TL;DR

The user only had to be using a wildcard dependency version and be using the Gradle Plugin Portal…

Jonathan Leitschuh

Software Engineer at Gradle Inc. Security Researcher; Open Source Contributor

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store