Research Shows Over 100,000 Libraries Affected By Maven Vulnerability CVE-2021-26291
I disclosed CVE-2021-26291, a vulnerability in the Java build tool Apache Maven. The vulnerability affects over 100,000 libraries in Maven Central.
Jonathan Leitschuh
United States
Jonathan Leitschuh is a Security Software Engineer and Security Researcher currently working for the JVM build tool company Gradle Inc. Jonathan is best known for the July 2019 Zoom Video Conferencing 0-Day Vulnerability. He also championed an industry-wide initiative to formally decommission the support of HTTP in favor of HTTPS only support by major artifact servers in the JVM ecosystem. He has a degree in Robotics and Computer Science from Worcester Polytechnic Institute. He enjoys finding security vulnerabilities in OSS in his free time as well as contributing to the GitHub Security Lab Bug Bounty Program. He's a strong proponent for security researchers having and enforcing vulnerability disclosure policies.
Community Contributions
[Live Stream] CodeQL Code Scanning Language Tutorial
Recording of my live streamed walkthrough of the CodeQL Code Scanning Tutorial
[Live Stream] CodeQL Code Scanning Language Tutorial
I did a live stream providing an introduction to the CodeQL programing language. This provided a guided walk-through of the CodeQL tutorial.
How to Hold a Virtual Memorial Service
Was interviewed by Steven Birenbaum for the NYT regarding the security of Zoom for holding virtual funerals, as well as my own experience holding a Zoom funeral for my mother in May of 2020.
CNAs and CVEs – Can allowing vendors to assign their own vulnerability IDs actually hinder security?
I was interviewed by PortSwigger for my comments and experience working with CNAs around issuing CVE numbers for security vulnerabilities.
CodeQL Roundtable stream w/@JLLeitschuh
A talk from @jlleitschuh explaining the ins and outs of code QL and how I landed some good bounties off it, while making the open source software world a more secure place. An awesome with a bit of a Q&A at the end.
Evicting HTTP from the JVM ecosystem supply chain
A talk on my work evicting HTTP (in favor of HTTPS) from the JVM ecosystem supply chain. This included authoring a CodeQL query to detect the vulnerability in Maven POM files and writing a bot to generate 1,596 PRs to fix the vulnerability across GitHub.
‘Security Botox’ or ‘amazingly successful’? Inside the battle to patch bug bounties’ biggest vulnerability
I was quoted in, and helped with the research for an article written by David Z. Morris discussing the current issues with today's Bug Bounty Programs.
Generating 1,596 PRs to fix an ecosystem-wide vulnerability
Using the CodeQL query I'd previously written to detect this vulnerability, I used the results of that query to generate 1,596 PRs to fix the widespread vulnerability in Maven POM files.
Shmoo Con: Zoom 0-Day: How Not to Handle a Vulnerability Report
I spoke at Shmoo Com about the 0-day vulnerability dropped on Zoom.
Update: Want to take over the Java ecosystem? All you need is a MITM!
Since my initial discovery of the HTTP based dependency download industry-wide security vulnerability, I'd been pushing forward an initiative for the major artifact hosts to all perform a coordinated drop of HTTP support on, or near, January 15th 2020.
I published this article discussing this plan and the initiative I'd been pushing forward and what repositories were participating.
CodeQL: Netty HTTP Response Splitting (CRLF Injection) due to disabled header validation
Contributed a CodeQL query to the GitHub Security Lab Bug Bounty Program to detect HTTP Response Splitting in the Netty HTTP library.
CodeQL: Maven: Use of insecure protocol to download/upload artifacts
Contributed a CodeQL query to the GitHub Security Lab Bug Bounty Program to detect the use of an insecure protocol (HTTP/FTP) to download/upload build dependencies and artifacts in Maven builds.
BSides CT: Zoom 0-Day: How not to handle a vulnerability report
I spoke at BSides CT about the 0-day vulnerability dropped on Zoom.
Zoom Zero Day: 4+ Million Webcams & maybe an RCE? Just get them to visit your website!
I publicly disclosed a security vulnerability impacting all Mac users of the Zoom video conferencing platform.
Want to take over the Java ecosystem? All you need is a MITM!
Disclosed an industry-wide vulnerability impacting the JVM ecosystem supply chain.