> On 24. Jul 2018, at 00:06, Mike Bragg <ymbr...@gmail.com> wrote: > > An external team just came in and scanned our environment. One of the things > they found was the YUI scripts we old and had vulnerabilities. I downloaded > the latest Jenkins war file and it had the same 2.9.0 versions with the > vulnerability. Below is an example: > > /static/12057b98/scripts/yui/event/event-min.js > > https://www.cvedetails.com/cve/CVE-2013-4940/ > > Cross-site scripting (XSS) vulnerability in io.swf in the IO Utility > component in Yahoo! YUI 3.10.2, as used in Moodle through 2.1.10, 2.2.x > before 2.2.11, 2.3.x before 2.3.8, 2.4.x before 2.4.5, 2.5.x before 2.5.1, > and other products, allows remote attackers to inject arbitrary web script or > HTML via a crafted string in a URL. NOTE: this vulnerability exists because > of a CVE-2013-4939 regression. > Publish Date : 2013-07-29 Last Update Date : 2013-10-03 > > I have not been able to find anything that says how to update these scripts. > Please help!! Is there any sign of io.swf being present? Because I cannot find it. In the earlier https://yuilibrary.com/support/20121030-vulnerability/ the YUI team recommends removal of any affected files, it seems Jenkins doesn't include them in the first place, and this would be a false positive report. -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/73C77EDB-B967-49A5-AC10-F1BFA7ED86FD%40beckweb.net. For more options, visit https://groups.google.com/d/optout.
