Hello there,
Nothing to care about at the moment for YUI as all the known
vulnerabilities are related to the presence of the Flash files ("via .swf
files"), they were removed from the library before it was included in
Jenkins.
But the out-of-date status is still valid unfortunately.
Best regards,
Wadeck
On Monday, May 31, 2021 at 2:33:00 AM UTC+2 s.p...@gmail.com wrote:
> Thank you, Oleg. Thank you for sharing the link to report the
> vulnerabilities. Appreciate your help!
>
> On Sunday, May 30, 2021 at 2:46:39 PM UTC-4 o.v.ne...@gmail.com wrote:
>
>> Hello,
>>
>> Thanks for your report. I will let the Jenkins security team members to
>> comment on that. Just for your information, we have an official process for
>> reporting security vulnerabilities. I highly recommend following this
>> process. Please see
>> https://www.jenkins.io/security/#reporting-vulnerabilities
>>
>> Best regards,
>> Oleg Nenashev
>>
>>
>>
>> On Sunday, May 30, 2021 at 3:05:00 AM UTC+2 s.p...@gmail.com wrote:
>>
>>> Our web scans shows out-of-date version(YUI) vulnerability. I'm not able
>>> to find anything on how to remediate this finding. Any help is appreciated.
>>> TIA
>>> Example : /static/01babc68/scripts/yui/yahoo/yahoo-min.js
>>> Affected versions of the package are vulnerable to Cross-site
>>> Scripting(XSS) via .swf files, allowing arbitary code injection into
>>> hosting server CVE-2012-5881 CVE-2012-5883
>>>
>>> *Jenkins version - 2.250 , windows 2012 server.*
>>>
>>
--
You received this message because you are subscribed to the Google Groups
"Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to jenkinsci-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/jenkinsci-users/7ce8af98-d252-4c46-bf84-5b82294db5aen%40googlegroups.com.
