Описание
Content-Security-Policy protection for user content disabled by Jenkins ScreenRecorder Plugin
Jenkins sets the Content-Security-Policy header to static files served by Jenkins (specifically DirectoryBrowserSupport), such as workspaces, /userContent, or archived artifacts, unless a Resource Root URL is specified.
ScreenRecorder Plugin 0.7 and earlier programmatically updates the Java system property allowing administrators to customize the Content-Security-Policy header for static files served by Jenkins to include media-src: 'self'. On a Jenkins instance with default configuration, this effectively disables all other directives in the default rule set, including script-src. This allows cross-site scripting (XSS) attacks by users with the ability to control files in workspaces, archived artifacts, etc.
Jenkins instances with Resource Root URL configured are unaffected.
Пакеты
io.jenkins.plugins:screenrecorder
<= 0.7
Отсутствует
Связанные уязвимости
Jenkins ScreenRecorder Plugin 0.7 and earlier programmatically disables Content-Security-Policy protection for user-generated content in workspaces, archived artifacts, etc. that Jenkins offers for download.