CVE-2022-43435

Description

Jenkins sets the Content-Security-Policy header to static files served by Jenkins (specifically `DirectoryBrowserSupport`), such as workspaces, `/userContent`, or archived artifacts, unless a Resource Root URL is specified. 360 FireLine Plugin 1.7.2 and earlier globally disables the `Content-Security-Policy` header for static files served by Jenkins whenever the 'Execute FireLine' build step is executed, if the option 'Open access to HTML with JS or CSS' is checked. This allows cross-site scripting (XSS) attacks by users with the ability to control files in workspaces, archived artifacts, etc. Jenkins instances with [Resource Root URL](https://www.jenkins.io/doc/book/security/user-content/#resource-root-url) configured are unaffected.

How to fix CVE-2022-43435

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

• —no fix listed

Is CVE-2022-43435 being exploited?

Low — EPSS is 1.5%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, <= 1.7.2

CVSS scores

References (4)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-43435
• PATCHgithub.com/jenkinsci/fireline-plugin
• WEBwww.jenkins.io/security/advisory/2022-10-19/#SECURITY-2866
• WEBwww.openwall.com/lists/oss-security/2022/10/19/3