CloudBees Security Advisory 2016-07-27

This advisory announces a vulnerability in the Cucumber Reports Plugin.

Cucumber Reports Plugin disables Content-Security-Policy for archived and workspace files

SECURITY-309

Jenkins 1.641 and 1.625.3, CloudBees Jenkins Enterprise 1.625.3.1 and 1.609.15.1, and CloudBees Jenkins Enterprise 1.625.3.1 and 1.609.15.1 introduced Content-Security-Policy HTTP headers as protection against Cross-Site Scripting attacks using workspace files and archived artifacts served using DirectoryBrowserSupport (SECURITY-95 ).

The Cucumber Reports Plugin disabled this XSS protection until Jenkins was restarted whenever a Cucumber Report was viewed by any user to work around the Content-Security-Policy limitations.

While disabling this protection mechanism temporarily may be necessary to make plugins work that haven't been adapted to work with the Content-Security-Policy restriction, this should only be done by administrators, as doing so may result in a security issue (see Configuring Content Security Policy on the Jenkins wiki).

Severity

  • SECURITY-309 is considered medium .

Fix


* Users of Cucumber Reports Plugin version 1.3.0 to 2.5.1 (inclusive) should update it to version 2.6.0 or newer.

More Security Advisories

Continuously redefine what’s possible through software

© 2025 CloudBees, Inc., CloudBees® and the Infinity logo® are registered trademarks of CloudBees, Inc. in the United States and may be registered in other countries. Other products or brand names may be trademarks or registered trademarks of CloudBees, Inc. or their respective holders. Jenkins® is a registered trademark of LF Charities Inc.
Terms of Service