GHSA-4C87-9XQ5-5C35
Vulnerability from github – Published: 2022-05-24 17:22 – Updated: 2022-12-29 01:09Jenkins sets the Content-Security-Policy header to static files served by Jenkins (specifically DirectoryBrowserSupport), such as workspaces, /userContent, or archived artifacts.
ZAP Pipeline Plugin prior to 1.10 globally disables the Content-Security-Policy header for static files served by Jenkins. This allows cross-site scripting (XSS) attacks by users with the ability to control files in workspaces, archived artifacts, etc.
Jenkins instances with Resource Root URL configured are largely unaffected. A possible exception are file parameter downloads. The behavior of those depends on the specific version of Jenkins:
- Jenkins 2.231 and newer, including 2.235.x LTS, is unaffected, as all resource files from user content are generally served safely from a different domain, without restrictions from Content-Security-Policy header.
- Jenkins between 2.228 (inclusive) and 2.230 (inclusive), as well as all releases of Jenkins 2.222.x LTS and the 2.204.6 LTS release, are affected by this vulnerability, as file parameters are not served via the Resource Root URL.
- Jenkins 2.227 and older, 2.204.5 and older, don’t have XSS protection for file parameter values, see SECURITY-1793.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "com.vrondakis.zap:zap-pipeline"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.10"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-2214"
],
"database_specific": {
"cwe_ids": [
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2022-12-29T01:09:19Z",
"nvd_published_at": "2020-07-02T15:15:00Z",
"severity": "MODERATE"
},
"details": "Jenkins sets the `Content-Security-Policy` header to static files served by Jenkins (specifically `DirectoryBrowserSupport`), such as workspaces, `/userContent`, or archived artifacts.\n\nZAP Pipeline Plugin prior to 1.10 globally disables the `Content-Security-Policy` header for static files served by Jenkins. This allows cross-site scripting (XSS) attacks by users with the ability to control files in workspaces, archived artifacts, etc.\n\nJenkins instances with [Resource Root URL](https://www.jenkins.io/doc/upgrade-guide/2.204/#resource-domain-support) configured are largely unaffected. A possible exception are file parameter downloads. The behavior of those depends on the specific version of Jenkins:\n- Jenkins 2.231 and newer, including 2.235.x LTS, is unaffected, as all resource files from user content are generally served safely from a different domain, without restrictions from `Content-Security-Policy` header.\n- Jenkins between 2.228 (inclusive) and 2.230 (inclusive), as well as all releases of Jenkins 2.222.x LTS and the 2.204.6 LTS release, are affected by this vulnerability, as file parameters are not served via the Resource Root URL.\n- Jenkins 2.227 and older, 2.204.5 and older, don\u2019t have XSS protection for file parameter values, see [SECURITY-1793](https://www.jenkins.io/security/advisory/2020-03-25/#SECURITY-1793).",
"id": "GHSA-4c87-9xq5-5c35",
"modified": "2022-12-29T01:09:19Z",
"published": "2022-05-24T17:22:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-2214"
},
{
"type": "WEB",
"url": "https://github.com/jenkinsci/zap-pipeline-plugin/commit/bca4b087c66ead39398f54cdadc27c515e8ede31"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/zap-pipeline-plugin"
},
{
"type": "WEB",
"url": "https://jenkins.io/security/advisory/2020-07-02/#SECURITY-1811"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2020/07/02/7"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Content-Security-Policy protection for user content disabled by Jenkins ZAP Pipeline Plugin"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.