Описание
Content-Security-Policy protection for user content disabled by Jenkins XFramium Builder Plugin
Jenkins sets the Content-Security-Policy header to static files served by Jenkins (specifically DirectoryBrowserSupport), such as workspaces, /userContent, or archived artifacts, unless a Resource Root URL is specified.
XFramium Builder Plugin 1.0.22 and earlier globally disables the Content-Security-Policy header for static files served by Jenkins as soon as it is loaded. This allows cross-site scripting (XSS) attacks by users with the ability to control files in workspaces, archived artifacts, etc.
Jenkins instances with Resource Root URL configured are unaffected.
Пакеты
org.jenkins-ci.plugins:xframium
<= 1.0.22
Отсутствует
Связанные уязвимости
Jenkins XFramium Builder Plugin 1.0.22 and earlier programmatically disables Content-Security-Policy protection for user-generated content in workspaces, archived artifacts, etc. that Jenkins offers for download.