CVE-2022-43434

Description

Jenkins sets the Content-Security-Policy header to static files served by Jenkins (specifically `DirectoryBrowserSupport`), such as workspaces, `/userContent`, or archived artifacts, unless a Resource Root URL is specified. NeuVector Vulnerability Scanner Plugin 1.20 and earlier globally disables the `Content-Security-Policy` header for static files served by Jenkins whenever the 'NeuVector Vulnerability Scanner' build step is executed. This allows cross-site scripting (XSS) attacks by users with the ability to control files in workspaces, archived artifacts, etc. Jenkins instances with [Resource Root URL](https://www.jenkins.io/doc/book/security/user-content/#resource-root-url) configured are unaffected.

How to fix CVE-2022-43434

To remediate CVE-2022-43434, upgrade the affected package to a fixed version below.

• —upgrade to 1.22 or later

Is CVE-2022-43434 being exploited?

Low — EPSS is 1.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 1.22

CVSS scores

References (5)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-43434
• PATCHgithub.com/jenkinsci/neuvector-vulnerability-scanner-plugin
• WEBgithub.com/jenkinsci/neuvector-vulnerability-scanner-plugin/commit/e0a72373ef1c20c41b8eb086883a7090cf04809c
• WEBwww.jenkins.io/security/advisory/2022-10-19/#SECURITY-2865