Jenkins Security Advisory 2016-07-27

This advisory announces a vulnerability in the Cucumber Reports Plugin.

Cucumber Reports Plugin disables Content-Security-Policy for archived and workspace files

SECURITY-309

Jenkins 1.641 and 1.625.3, CloudBees Jenkins Enterprise 1.625.3.1 and 1.609.15.1, and CloudBees Jenkins Enterprise 1.625.3.1 and 1.609.15.1 introduced Content-Security-Policy HTTP headers as protection against Cross-Site Scripting attacks using workspace files and archived artifacts served using DirectoryBrowserSupport (SECURITY-95).

The Cucumber Reports Plugin disabled this XSS protection until Jenkins was restarted whenever a Cucumber Report was viewed by any user to work around the Content-Security-Policy limitations.

While disabling this protection mechanism temporarily may be necessary to make plugins work that haven’t been adapted to work with the Content-Security-Policy restriction, this should only be done by administrators, as doing so may result in a security issue (see Configuring Content Security Policy on the Jenkins wiki).

Severity: 
  • SECURITY-309 is considered medium.

 

Fix: 

* Users of Cucumber Reports Plugin version 1.3.0 to 2.5.1 (inclusive) should update it to version 2.6.0 or newer.