GitHub Advisory DatabaseGHSA-WMFH-H3VM-RCXMContent-Security-Policy protection for user content disabled by Jenkins NeuVector Vulnerability Scanner Plugin
5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
0.001 Low
EPSS
Percentile
33.5%
Jenkins sets the Content-Security-Policy header to static files served by Jenkins (specifically DirectoryBrowserSupport), such as workspaces, /userContent, or archived artifacts, unless a Resource Root URL is specified.
NeuVector Vulnerability Scanner Plugin 1.20 and earlier globally disables the Content-Security-Policy header for static files served by Jenkins whenever the ‘NeuVector Vulnerability Scanner’ build step is executed. This allows cross-site scripting (XSS) attacks by users with the ability to control files in workspaces, archived artifacts, etc.
Jenkins instances with Resource Root URL configured are unaffected.
Affected configurations
| CPE | Name | Operator | Version |
|---|---|---|---|
| io.jenkins.plugins:neuvector-vulnerability-scanner | le | 1.20 |
References
Related
5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
0.001 Low
EPSS
Percentile
33.5%