This advisory announces a vulnerability in the Cucumber Reports Plugin.
SECURITY-309
Jenkins 1.641 and 1.625.3 introduced Content-Security-Policy HTTP headers as protection against Cross-Site Scripting attacks using workspace files and archived artifacts served using DirectoryBrowserSupport (SECURITY-95).
The Cucumber Reports Plugin disabled this XSS protection until Jenkins was restarted whenever a Cucumber Report was viewed by any user to work around the Content-Security-Policy limitations.
While disabling this protection mechanism temporarily may be necessary to make plugins work that haven’t been adapted to work with the Content-Security-Policy restriction, this should only be done by administrators, as doing so may result in a security issue (see Configuring Content Security Policy).
SECURITY-309 is considered medium.
Cucumber Reports Plugin 1.3.0 to 2.5.1 (inclusive).
Users of Cucumber Reports Plugin should update it to version 2.6.0 or newer.