• Icon: Improvement Improvement
    • Resolution: Won't Fix
    • Icon: Major Major
    • core
    • None

      Security scan tool found Cross-site scripting (XSS) vulnerability in uploader.swf in the Uploader component in Yahoo! YUI 2.5.0 through 2.9.0 allows remote attackers to inject arbitrary web script or HTML via the allowedDomain parameter. 
      Affected Version 2.5.0 to 2.9.0 (https://nvd.nist.gov/vuln/detail/CVE-2013-6780)

      and Jenkins is using 2.9.0

      Is it possible to update to 3.18.1 ?

       

          [JENKINS-72155] move to YUI Library version 3.18+

          Mark Waite added a comment -

          No, Jenkins won't be upgrading to a newer version of the YahooUI library. We continue to make progress towards the complete removal of the library, but we won't be upgrading to a newer version.

          The security scanning tool is incorrectly reporting this as as vulnerability. That is an error in the security scanning tool. Jenkins does not use or support SWF (Adobe Shockwave Format) and Adobe declared the Flash player as end of life Dec 31, 2020.

          Per our vulnerability reporting guidelines, we don't accept security reports for dependencies unless there is a demonstrated exploit of that vulnerability. That policy says:

          Vulnerabilities in dependencies without a plausible or demonstrated exploit will not be treated as vulnerabilities. While we may inform maintainers about the need to update their dependencies and track progress in the SECURITY Jira project, no security advisory will be published for these.

          Mark Waite added a comment - No, Jenkins won't be upgrading to a newer version of the YahooUI library. We continue to make progress towards the complete removal of the library, but we won't be upgrading to a newer version. The security scanning tool is incorrectly reporting this as as vulnerability. That is an error in the security scanning tool. Jenkins does not use or support SWF (Adobe Shockwave Format) and Adobe declared the Flash player as end of life Dec 31, 2020 . Per our vulnerability reporting guidelines , we don't accept security reports for dependencies unless there is a demonstrated exploit of that vulnerability. That policy says: Vulnerabilities in dependencies without a plausible or demonstrated exploit will not be treated as vulnerabilities. While we may inform maintainers about the need to update their dependencies and track progress in the SECURITY Jira project, no security advisory will be published for these.

            Unassigned Unassigned
            murat01 Murat
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: