oss-sec mailing list archives

CVE request: Jenkins plugin 'Cucumber Reports' 1.3.0 to 2.5.1 disabled XSS protection mechanism

From: Daniel Beck <ml () beckweb net>
Date: Wed, 27 Jul 2016 14:35:03 +0200

Hello,

Please assign a CVE to this issue:

Cucumber Reports Plugin disables Content-Security-Policy for archived and workspace files

Jenkins 1.641 and 1.625.3 introduced Content-Security-Policy HTTP headers as protection against Cross-Site Scripting 
attacks using workspace files and archived artifacts served using DirectoryBrowserSupport (SECURITY-95). The Cucumber 
Reports Plugin disabled this XSS protection until Jenkins was restarted whenever a Cucumber Report was viewed by any 
user to work around the Content-Security-Policy limitations.

Affected versions
Cucumber Reports Plugin 1.3.0 to 2.5.1 (inclusive).

Fix
Users of Cucumber Reports Plugin should update it to version 2.6.0 or newer.

Advisory:
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-07-27

Thanks!

Daniel

Current thread:

CVE request: Jenkins plugin 'Cucumber Reports' 1.3.0 to 2.5.1 disabled XSS protection mechanism Daniel Beck (Jul 27)