Thank you Wadeck.
On Monday, May 31, 2021 at 2:50:34 AM UTC-4 [email protected] wrote:
> Hello there,
>
> Nothing to care about at the moment for YUI as all the known
> vulnerabilities are related to the presence of the Flash files ("via .swf
> files"), they were removed from the library before it was included in
> Jenkins.
> But the out-of-date status is still valid unfortunately.
>
> Best regards,
>
> Wadeck
> On Monday, May 31, 2021 at 2:33:00 AM UTC+2 [email protected] wrote:
>
>> Thank you, Oleg. Thank you for sharing the link to report the
>> vulnerabilities. Appreciate your help!
>>
>> On Sunday, May 30, 2021 at 2:46:39 PM UTC-4 [email protected] wrote:
>>
>>> Hello,
>>>
>>> Thanks for your report. I will let the Jenkins security team members to
>>> comment on that. Just for your information, we have an official process for
>>> reporting security vulnerabilities. I highly recommend following this
>>> process. Please see
>>> https://www.jenkins.io/security/#reporting-vulnerabilities
>>>
>>> Best regards,
>>> Oleg Nenashev
>>>
>>>
>>>
>>> On Sunday, May 30, 2021 at 3:05:00 AM UTC+2 [email protected] wrote:
>>>
>>>> Our web scans shows out-of-date version(YUI) vulnerability. I'm not
>>>> able to find anything on how to remediate this finding. Any help is
>>>> appreciated. TIA
>>>> Example : /static/01babc68/scripts/yui/yahoo/yahoo-min.js
>>>> Affected versions of the package are vulnerable to Cross-site
>>>> Scripting(XSS) via .swf files, allowing arbitary code injection into
>>>> hosting server CVE-2012-5881 CVE-2012-5883
>>>>
>>>> *Jenkins version - 2.250 , windows 2012 server.*
>>>>
>>>
--
You received this message because you are subscribed to the Google Groups
"Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/jenkinsci-users/4291ea18-1e42-4547-9ffa-b4c0fc070220n%40googlegroups.com.
