Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 27 Jul 2016 14:35:03 +0200
From: Daniel Beck <ml@...kweb.net>
To: oss-security@...ts.openwall.com
Subject: CVE request: Jenkins plugin 'Cucumber Reports' 1.3.0 to 2.5.1 disabled XSS protection mechanism

Hello,

Please assign a CVE to this issue:

Cucumber Reports Plugin disables Content-Security-Policy for archived and workspace files

Jenkins 1.641 and 1.625.3 introduced Content-Security-Policy HTTP headers as protection against Cross-Site Scripting attacks using workspace files and archived artifacts served using DirectoryBrowserSupport (SECURITY-95). The Cucumber Reports Plugin disabled this XSS protection until Jenkins was restarted whenever a Cucumber Report was viewed by any user to work around the Content-Security-Policy limitations.

Affected versions
Cucumber Reports Plugin 1.3.0 to 2.5.1 (inclusive).

Fix
Users of Cucumber Reports Plugin should update it to version 2.6.0 or newer.

Advisory:
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-07-27

Thanks!

Daniel

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ