This advisory announces a vulnerability in the Cucumber Reports Plugin.
Jenkins 1.641 and 1.625.3 introduced
Content-Security-Policy HTTP headers as protection against Cross-Site Scripting attacks using workspace files and archived artifacts served using
The Cucumber Reports Plugin disabled this XSS protection until Jenkins was restarted whenever a Cucumber Report was viewed by any user to work around the
While disabling this protection mechanism temporarily may be necessary to make plugins work that haven’t been adapted to work with the Content-Security-Policy restriction, this should only be done by administrators, as doing so may result in a security issue (see Configuring Content Security Policy).
SECURITY-309 is considered medium.
Cucumber Reports Plugin 1.3.0 to 2.5.1 (inclusive).
Users of Cucumber Reports Plugin should update it to version 2.6.0 or newer.