Skip to content

Content-Security-Policy protection for user content disabled by Jenkins ScreenRecorder Plugin

High severity GitHub Reviewed Published Oct 19, 2022 to the GitHub Advisory Database • Updated Feb 1, 2023

Package

maven io.jenkins.plugins:screenrecorder (Maven)

Affected versions

<= 0.7

Patched versions

None

Description

Jenkins sets the Content-Security-Policy header to static files served by Jenkins (specifically DirectoryBrowserSupport), such as workspaces, /userContent, or archived artifacts, unless a Resource Root URL is specified.

ScreenRecorder Plugin 0.7 and earlier programmatically updates the Java system property allowing administrators to customize the Content-Security-Policy header for static files served by Jenkins to include media-src: 'self'. On a Jenkins instance with default configuration, this effectively disables all other directives in the default rule set, including script-src. This allows cross-site scripting (XSS) attacks by users with the ability to control files in workspaces, archived artifacts, etc.

Jenkins instances with Resource Root URL configured are unaffected.

References

Published by the National Vulnerability Database Oct 19, 2022
Published to the GitHub Advisory Database Oct 19, 2022
Reviewed Oct 19, 2022
Last updated Feb 1, 2023

Severity

High
8.0
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Weaknesses

CVE ID

CVE-2022-43433

GHSA ID

GHSA-cvxj-4745-843x

Source code

Credits

Checking history
See something to contribute? Suggest improvements for this vulnerability.