Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 27 Jul 2016 14:35:03 +0200
From: Daniel Beck <>
Subject: CVE request: Jenkins plugin 'Cucumber Reports' 1.3.0 to 2.5.1 disabled XSS protection mechanism


Please assign a CVE to this issue:

Cucumber Reports Plugin disables Content-Security-Policy for archived and workspace files

Jenkins 1.641 and 1.625.3 introduced Content-Security-Policy HTTP headers as protection against Cross-Site Scripting attacks using workspace files and archived artifacts served using DirectoryBrowserSupport (SECURITY-95). The Cucumber Reports Plugin disabled this XSS protection until Jenkins was restarted whenever a Cucumber Report was viewed by any user to work around the Content-Security-Policy limitations.

Affected versions
Cucumber Reports Plugin 1.3.0 to 2.5.1 (inclusive).

Users of Cucumber Reports Plugin should update it to version 2.6.0 or newer.




Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.