'[oss-security] CVE request: Jenkins plugin 'Cucumber Reports' 1.3.0 to 2.5.1 disabled XSS protection'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE request: Jenkins plugin 'Cucumber Reports' 1.3.0 to 2.5.1 disabled XSS protection
From:       Daniel Beck <ml () beckweb ! net>
Date:       2016-07-27 12:35:03
Message-ID: 6EB473C2-2849-4E3E-99B0-BAF01AFD8718 () beckweb ! net
[Download RAW message or body]

Hello,

Please assign a CVE to this issue:

Cucumber Reports Plugin disables Content-Security-Policy for archived =
and workspace files

Jenkins 1.641 and 1.625.3 introduced Content-Security-Policy HTTP =
headers as protection against Cross-Site Scripting attacks using =
workspace files and archived artifacts served using =
DirectoryBrowserSupport (SECURITY-95). The Cucumber Reports Plugin =
disabled this XSS protection until Jenkins was restarted whenever a =
Cucumber Report was viewed by any user to work around the =
Content-Security-Policy limitations.

Affected versions
Cucumber Reports Plugin 1.3.0 to 2.5.1 (inclusive).

Fix
Users of Cucumber Reports Plugin should update it to version 2.6.0 or =
newer.

Advisory:
=
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+201=
6-07-27

Thanks!

Daniel

[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic