[<prev] [next>] [day] [month] [year] [list]
Message-Id: <6EB473C2-2849-4E3E-99B0-BAF01AFD8718@beckweb.net>
Date: Wed, 27 Jul 2016 14:35:03 +0200
From: Daniel Beck <ml@...kweb.net>
To: oss-security@...ts.openwall.com
Subject: CVE request: Jenkins plugin 'Cucumber Reports' 1.3.0 to 2.5.1 disabled XSS protection mechanism
Hello,
Please assign a CVE to this issue:
Cucumber Reports Plugin disables Content-Security-Policy for archived and workspace files
Jenkins 1.641 and 1.625.3 introduced Content-Security-Policy HTTP headers as protection against Cross-Site Scripting attacks using workspace files and archived artifacts served using DirectoryBrowserSupport (SECURITY-95). The Cucumber Reports Plugin disabled this XSS protection until Jenkins was restarted whenever a Cucumber Report was viewed by any user to work around the Content-Security-Policy limitations.
Affected versions
Cucumber Reports Plugin 1.3.0 to 2.5.1 (inclusive).
Fix
Users of Cucumber Reports Plugin should update it to version 2.6.0 or newer.
Advisory:
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-07-27
Thanks!
Daniel
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
