Jenkins sets the Content-Security-Policy header to static files served by Jenkins (specifically DirectoryBrowserSupport), such as workspaces, /userContent, or archived artifacts, unless a Resource Root URL is specified.

XFramium Builder Plugin 1.0.22 and earlier globally disables the Content-Security-Policy header for static files served by Jenkins as soon as it is loaded. This allows cross-site scripting (XSS) attacks by users with the ability to control files in workspaces, archived artifacts, etc.

Jenkins instances with Resource Root URL configured are unaffected.

References

• https://nvd.nist.gov/vuln/detail/CVE-2022-43432
• https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2863
• http://www.openwall.com/lists/oss-security/2022/10/19/3