Sorry Mark, not sure if you see "SECURITY-624" in the Table I posted. Here's the Jenkins Security Advisory:
https://jenkins.io/security/advisory/2017-12-05/ But then the Jenkins change log shows that with version 2.107, this was addressed (more than just a work around): https://jenkins.io/changelog/. We are at 2.107.1, but the scan is still tagging us on this issue. Thanks, Eric On Tue, Apr 17, 2018 at 2:36 PM, Mark Waite <mark.earl.wa...@gmail.com> wrote: > Your mail doesn't tell us what security vulnerability is believed to exist. > > Can you explain further what the report means and what you believe should > be done? > > Mark Waite > > On Tue, Apr 17, 2018, 9:02 AM Eric Fetzer <eric.fet...@gmail.com> wrote: > >> No one has any ideas about this at all? >> >> >> >> On Friday, April 13, 2018 at 12:21:36 PM UTC-6, Eric Fetzer wrote: >>> >>> We're getting gigged on a security scan that looking at Jenkins >>> documentation, should not be happening. The scan is turning up: >>> >>> >>> *Vulnerability* >>> >>> *Host* >>> >>> *IP* >>> >>> *Port* >>> >>> *201701* >>> >>> *201702* >>> >>> *201703* >>> >>> *201704* >>> >>> *201705* >>> >>> *201706* >>> >>> *201707* >>> >>> Jenkins JDK / Ant Tools Job Configuration Stored XSS Vulnerability >>> (SECURITY-624) >>> <redacted> >>> >>> <redacted> >>> >>> TCP:8080 >>> >>> NO >>> >>> NO >>> >>> NO >>> >>> NO >>> >>> NO >>> >>> NO >>> >>> NO >>> >>> >>> In the documentation, I see 2 places where this could be turning up. >>> Ant plugin prior to 1.8, and Jenkins version prior to 2.93. Our Jenkins >>> version is 2.107.1 and we just upgraded our Ant plugin to 1.8. Anyone have >>> an idea what's getting us here? >>> >>> Thanks, >>> Eric >>> >> -- >> You received this message because you are subscribed to the Google Groups >> "Jenkins Users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to jenkinsci-users+unsubscr...@googlegroups.com. >> To view this discussion on the web visit https://groups.google.com/d/ >> msgid/jenkinsci-users/58bf582a-a106-4f95-966a- >> 07642c16e11c%40googlegroups.com >> <https://groups.google.com/d/msgid/jenkinsci-users/58bf582a-a106-4f95-966a-07642c16e11c%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> For more options, visit https://groups.google.com/d/optout. >> > -- > You received this message because you are subscribed to a topic in the > Google Groups "Jenkins Users" group. > To unsubscribe from this topic, visit https://groups.google.com/d/ > topic/jenkinsci-users/fKY3_xmAPkk/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > jenkinsci-users+unsubscr...@googlegroups.com. > To view this discussion on the web visit https://groups.google.com/d/ > msgid/jenkinsci-users/CAO49JtH_8yxLHf2umcysCn1Wn7N248jMSyDXa- > ybz%3D0fA6fBaw%40mail.gmail.com > <https://groups.google.com/d/msgid/jenkinsci-users/CAO49JtH_8yxLHf2umcysCn1Wn7N248jMSyDXa-ybz%3D0fA6fBaw%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/CAByBicY5ssbsUW9QVUiKsRuqRKvc0LT8UapxRghJDo-5TOx%2B-Q%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
