GoogleOSV:GHSA-X22X-5PP9-8V7FContent-Security-Policy disabled by Red Hat Dependency Analytics Jenkins Plugin
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
AI Score
Confidence
High
EPSS
Percentile
13.3%
Jenkins sets the Content-Security-Policy header to static files served by Jenkins (specifically DirectoryBrowserSupport), such as workspaces, /userContent, or archived artifacts, unless a Resource Root URL is specified.
Red Hat Dependency Analytics Plugin 0.7.1 and earlier globally disables the Content-Security-Policy header for static files served by Jenkins whenever the ‘Invoke Red Hat Dependency Analytics (RHDA)’ build step is executed. This allows cross-site scripting (XSS) attacks by users with the ability to control files in workspaces, archived artifacts, etc.
References
www.openwall.com/lists/oss-security/2024/01/24/6
github.com/jenkinsci/redhat-dependency-analytics-plugin
github.com/jenkinsci/redhat-dependency-analytics-plugin/commit/123e37795eb69f533a1cd8bd74113ebb1fdbdcda
nvd.nist.gov/vuln/detail/CVE-2024-23905
www.jenkins.io/security/advisory/2024-01-24/#SECURITY-3322
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
AI Score
Confidence
High
EPSS
Percentile
13.3%