oss-sec mailing list archives
CVE request: Jenkins plugin 'Cucumber Reports' 1.3.0 to 2.5.1 disabled XSS protection mechanism
From: Daniel Beck <ml () beckweb net>
Date: Wed, 27 Jul 2016 14:35:03 +0200
Hello, Please assign a CVE to this issue: Cucumber Reports Plugin disables Content-Security-Policy for archived and workspace files Jenkins 1.641 and 1.625.3 introduced Content-Security-Policy HTTP headers as protection against Cross-Site Scripting attacks using workspace files and archived artifacts served using DirectoryBrowserSupport (SECURITY-95). The Cucumber Reports Plugin disabled this XSS protection until Jenkins was restarted whenever a Cucumber Report was viewed by any user to work around the Content-Security-Policy limitations. Affected versions Cucumber Reports Plugin 1.3.0 to 2.5.1 (inclusive). Fix Users of Cucumber Reports Plugin should update it to version 2.6.0 or newer. Advisory: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-07-27 Thanks! Daniel
Current thread:
- CVE request: Jenkins plugin 'Cucumber Reports' 1.3.0 to 2.5.1 disabled XSS protection mechanism Daniel Beck (Jul 27)