Out-of-date version(YUI)

[s.p...@gmail.com]

Our web scans shows out-of-date version(YUI) vulnerability. I'm not able to find anything on how to remediate this finding. Any help is appreciated. TIA

Example :  /static/01babc68/scripts/yui/yahoo/yahoo-min.js 

Affected versions of the package are vulnerable to Cross-site Scripting(XSS) via .swf files, allowing arbitary code injection into hosting server CVE-2012-5881 CVE-2012-5883

Jenkins version - 2.250 , windows 2012 server.

[Oleg Nenashev]

Hello,

Thanks for your report. I will let the Jenkins security team members to comment on that. Just for your information, we have an official process for reporting security vulnerabilities. I highly recommend following this process. Please see https://www.jenkins.io/security/#reporting-vulnerabilities

Best regards,

Oleg Nenashev

[s.p...@gmail.com]

Thank you, Oleg. Thank you for sharing the link to report the vulnerabilities. Appreciate your help!

[Wadeck Follonier]

Hello there,

Nothing to care about at the moment for YUI as all the known vulnerabilities are related to the presence of the Flash files ("via .swf files"), they were removed from the library before it was included in Jenkins.

But the out-of-date status is still valid unfortunately.

Best regards,

Wadeck

[Daniel Beck]

> On 30. May 2021, at 03:05, s.p...@gmail.com <s.p...@gmail.com> wrote:
>
> Affected versions of the package are vulnerable to Cross-site Scripting(XSS) via .swf files, allowing arbitary code injection into hosting server CVE-2012-5881 CVE-2012-5883
>

While we include YUI, we do not include the vulnerable file.

Your scanner is trash.

[s.p...@gmail.com]

Thank you Wadeck.