-
Improvement
-
Resolution: Won't Fix
-
Major
-
None
Security scan tool found Cross-site scripting (XSS) vulnerability in uploader.swf in the Uploader component in Yahoo! YUI 2.5.0 through 2.9.0 allows remote attackers to inject arbitrary web script or HTML via the allowedDomain parameter.
Affected Version 2.5.0 to 2.9.0 (https://nvd.nist.gov/vuln/detail/CVE-2013-6780)
and Jenkins is using 2.9.0
Is it possible to update to 3.18.1 ?
- is related to
-
JENKINS-73539 Remove YUI
-
- In Progress
-
No, Jenkins won't be upgrading to a newer version of the YahooUI library. We continue to make progress towards the complete removal of the library, but we won't be upgrading to a newer version.
The security scanning tool is incorrectly reporting this as as vulnerability. That is an error in the security scanning tool. Jenkins does not use or support SWF (Adobe Shockwave Format) and Adobe declared the Flash player as end of life Dec 31, 2020.
Per our vulnerability reporting guidelines, we don't accept security reports for dependencies unless there is a demonstrated exploit of that vulnerability. That policy says: