Skip to content

Content-Security-Policy protection for user content can be disabled in Jenkins 360 FireLine Plugin

High severity GitHub Reviewed Published Oct 19, 2022 to the GitHub Advisory Database • Updated Feb 1, 2023

Package

maven org.jenkins-ci.plugins.plugin:fireline (Maven)

Affected versions

<= 1.7.2

Patched versions

None

Description

Jenkins sets the Content-Security-Policy header to static files served by Jenkins (specifically DirectoryBrowserSupport), such as workspaces, /userContent, or archived artifacts, unless a Resource Root URL is specified.

360 FireLine Plugin 1.7.2 and earlier globally disables the Content-Security-Policy header for static files served by Jenkins whenever the 'Execute FireLine' build step is executed, if the option 'Open access to HTML with JS or CSS' is checked. This allows cross-site scripting (XSS) attacks by users with the ability to control files in workspaces, archived artifacts, etc.

Jenkins instances with Resource Root URL configured are unaffected.

References

Published by the National Vulnerability Database Oct 19, 2022
Published to the GitHub Advisory Database Oct 19, 2022
Reviewed Oct 19, 2022
Last updated Feb 1, 2023

Severity

High
8.0
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Weaknesses

CVE ID

CVE-2022-43435

GHSA ID

GHSA-7rrj-hqv6-fvpp

Credits

Checking history
See something to contribute? Suggest improvements for this vulnerability.