Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-72465

Outpost24 security scanner incorrectly reports a YUI security vulnerability in Jenkins 2.401.3

    • Icon: Bug Bug
    • Resolution: Not A Defect
    • Icon: Critical Critical
    • core
    • PROD

      Hi Team,

       

      We could see YUI has been detected with vulnerabilities that is available under jenkins installation directory.

       

      When we checked security team, they have given below screenshot as vulnerable 

      Currently we are on 2.401.3 and this is almost latest version. Could you please let us know how to get rid of this vulnerabilities.

       

      i selected the components as security inspector as i could not find yui

          [JENKINS-72465] Outpost24 security scanner incorrectly reports a YUI security vulnerability in Jenkins 2.401.3

          sudheer kumar created issue -

          sudheer kumar added a comment -

          Note that YUI currently which is available in the installation directory has reached end of life and the suggestion is to upgrade to newer supported version. 

          Could you please let us know in which version of jenkins this YUI has been updated to latest support version.

          sudheer kumar added a comment - Note that YUI currently which is available in the installation directory has reached end of life and the suggestion is to upgrade to newer supported version.  Could you please let us know in which version of jenkins this YUI has been updated to latest support version.
          sudheer kumar made changes -
          Assignee Original: sudheer kumar [ sudheerkumar93 ]

          I changed the component to "core" and added the label "yui", because a fork of YUI is included as "war/src/main/webapp/scripts/yui/" in the Jenkins core source tree.

          In there, yahoo/yahoo-min.js claims it is YUI version 2.9.0. It was upgraded to that version in September 2011. After that, it has been edited in Jenkins. In particular, "connection/connection.swf" was deleted in July 2022 for JENKINS-68994, and now there aren't any SWF files left. I think that means the following vulnerabilities of YUI 2.9.0 do not apply to Jenkins:

          • CVE-2012-5881 in charts.swf
          • CVE-2012-5882 in uploader.swf
          • CVE-2012-5883 in swfstore.swf
          • CVE-2013-6780 in uploader.swf

          If you know about a YUI vulnerability that applies to Jenkins, please report it to the SECURITY project in Jira. See also this comment in JENKINS-72155.

          Kalle Niemitalo added a comment - I changed the component to "core" and added the label "yui", because a fork of YUI is included as "war/src/main/webapp/scripts/yui/" in the Jenkins core source tree. In there, yahoo/yahoo-min.js claims it is YUI version 2.9.0. It was upgraded to that version in September 2011. After that, it has been edited in Jenkins. In particular, "connection/connection.swf" was deleted in July 2022 for JENKINS-68994 , and now there aren't any SWF files left. I think that means the following vulnerabilities of YUI 2.9.0 do not apply to Jenkins: CVE-2012-5881 in charts.swf CVE-2012-5882 in uploader.swf CVE-2012-5883 in swfstore.swf CVE-2013-6780 in uploader.swf If you know about a YUI vulnerability that applies to Jenkins, please report it to the SECURITY project in Jira. See also this comment in JENKINS-72155 .
          Kalle Niemitalo made changes -
          Component/s New: core [ 15593 ]
          Component/s Original: security-inspector-plugin [ 21938 ]
          Labels New: yui
          Mark Waite made changes -
          Summary Original: Security vulnerability still shows even after update to 2.401.3 New: Security scanner incorrectly reports a YUI security vulnerability in Jenkins 2.401.3

          Mark Waite added a comment -

          Closing as "not a defect" because the problem that is being reported by the security scanner is an issue in the security scanner, not an issue in Jenkins. Please note our reporting guidelines, which state:

          We do not consider the following issues to be vulnerabilities in Jenkins (core + plugins):

          • Vulnerabilities in dependencies without a plausible or demonstrated exploit will not be treated as vulnerabilities. While we inform maintainers about the need to update their dependencies, and may track progress in the SECURITY Jira project, no security advisory will be published for these.

          Mark Waite added a comment - Closing as "not a defect" because the problem that is being reported by the security scanner is an issue in the security scanner, not an issue in Jenkins. Please note our reporting guidelines , which state: We do not consider the following issues to be vulnerabilities in Jenkins (core + plugins): Vulnerabilities in dependencies without a plausible or demonstrated exploit will not be treated as vulnerabilities. While we inform maintainers about the need to update their dependencies, and may track progress in the SECURITY Jira project, no security advisory will be published for these.
          Mark Waite made changes -
          Resolution New: Not A Defect [ 7 ]
          Status Original: Open [ 1 ] New: Resolved [ 5 ]
          Mark Waite made changes -
          Summary Original: Security scanner incorrectly reports a YUI security vulnerability in Jenkins 2.401.3 New: Outpust24 security scanner incorrectly reports a YUI security vulnerability in Jenkins 2.401.3
          Kalle Niemitalo made changes -
          Summary Original: Outpust24 security scanner incorrectly reports a YUI security vulnerability in Jenkins 2.401.3 New: Outpost24 security scanner incorrectly reports a YUI security vulnerability in Jenkins 2.401.3

            Unassigned Unassigned
            sudheerkumar93 sudheer kumar
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: