GHSA-4c87-9xq5-5c35
Suggest an improvement- Source
- https://github.com/advisories/GHSA-4c87-9xq5-5c35
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-4c87-9xq5-5c35/GHSA-4c87-9xq5-5c35.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-4c87-9xq5-5c35
- Aliases
- Published
- 2022-05-24T17:22:20Z
- Modified
- 2023-11-08T04:02:57.393518Z
- Severity
-
- 5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
- Summary
- Content-Security-Policy protection for user content disabled by Jenkins ZAP Pipeline Plugin
- Details
-
Jenkins sets the
Content-Security-Policyheader to static files served by Jenkins (specificallyDirectoryBrowserSupport), such as workspaces,/userContent, or archived artifacts.ZAP Pipeline Plugin prior to 1.10 globally disables the
Content-Security-Policyheader for static files served by Jenkins. This allows cross-site scripting (XSS) attacks by users with the ability to control files in workspaces, archived artifacts, etc.Jenkins instances with Resource Root URL configured are largely unaffected. A possible exception are file parameter downloads. The behavior of those depends on the specific version of Jenkins: - Jenkins 2.231 and newer, including 2.235.x LTS, is unaffected, as all resource files from user content are generally served safely from a different domain, without restrictions from
Content-Security-Policyheader. - Jenkins between 2.228 (inclusive) and 2.230 (inclusive), as well as all releases of Jenkins 2.222.x LTS and the 2.204.6 LTS release, are affected by this vulnerability, as file parameters are not served via the Resource Root URL. - Jenkins 2.227 and older, 2.204.5 and older, don’t have XSS protection for file parameter values, see SECURITY-1793. - Database specific
{ "nvd_published_at": "2020-07-02T15:15:00Z", "github_reviewed_at": "2022-12-29T01:09:19Z", "severity": "MODERATE", "github_reviewed": true, "cwe_ids": [ "CWE-79" ] }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2020-2214
- https://github.com/jenkinsci/zap-pipeline-plugin/commit/bca4b087c66ead39398f54cdadc27c515e8ede31
- https://github.com/jenkinsci/zap-pipeline-plugin
- https://jenkins.io/security/advisory/2020-07-02/#SECURITY-1811
- http://www.openwall.com/lists/oss-security/2020/07/02/7
Affected packages
Maven / com.vrondakis.zap:zap-pipeline
Package
- Name
- com.vrondakis.zap:zap-pipeline
- View open source insights on deps.dev
- Purl
- pkg:maven/com.vrondakis.zap/zap-pipeline