GHSA-7rrj-hqv6-fvpp
Suggest an improvement- Source
- https://github.com/advisories/GHSA-7rrj-hqv6-fvpp
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-7rrj-hqv6-fvpp/GHSA-7rrj-hqv6-fvpp.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-7rrj-hqv6-fvpp
- Aliases
- Published
- 2022-10-19T19:00:18Z
- Modified
- 2023-11-08T04:10:44.133018Z
- Severity
-
- 8.0 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- Content-Security-Policy protection for user content can be disabled in Jenkins 360 FireLine Plugin
- Details
-
Jenkins sets the Content-Security-Policy header to static files served by Jenkins (specifically
DirectoryBrowserSupport), such as workspaces,/userContent, or archived artifacts, unless a Resource Root URL is specified.360 FireLine Plugin 1.7.2 and earlier globally disables the
Content-Security-Policyheader for static files served by Jenkins whenever the 'Execute FireLine' build step is executed, if the option 'Open access to HTML with JS or CSS' is checked. This allows cross-site scripting (XSS) attacks by users with the ability to control files in workspaces, archived artifacts, etc.Jenkins instances with Resource Root URL configured are unaffected.
- Database specific
{ "nvd_published_at": "2022-10-19T16:15:00Z", "github_reviewed_at": "2022-10-19T20:27:57Z", "severity": "HIGH", "github_reviewed": true, "cwe_ids": [ "CWE-693" ] }- References
Affected packages
Maven / org.jenkins-ci.plugins.plugin:fireline
Package
- Name
- org.jenkins-ci.plugins.plugin:fireline
- View open source insights on deps.dev
- Purl
- pkg:maven/org.jenkins-ci.plugins.plugin/fireline