CVE-2020-2162 – org.jenkins-ci.main:jenkins-core
Package
Manager: maven
Name: org.jenkins-ci.main:jenkins-core
Vulnerable Version: >=0 <2.228 || >=2.204.6 <2.228
Severity
Level: Medium
CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N
EPSS: 0.00356 pctl0.57145
Details
Improper Neutralization of Input During Web Page Generation in Jenkins Jenkins 2.227 and earlier, LTS 2.204.5 and earlier served files uploaded as file parameters to a build without specifying appropriate `Content-Security-Policy HTTP` headers. This resulted in a stored cross-site scripting (XSS) vulnerability exploitable by users with permissions to build a job with file parameters.\n\nJenkins now sets `Content-Security-Policy` HTTP headers when serving files uploaded via a file parameter to the same value as used for files in workspaces and archived artifacts not served using the Resource Root URL.\n\nThe system property `hudson.model.DirectoryBrowserSupport.CSP` can be set to override the value of `Content-Security-Policy` headers sent when serving these files. This is the same system property used for files in workspaces and archived artifacts unless those are served via the [Resource Root URL](https://www.jenkins.io/doc/upgrade-guide/2.204/#resource-domain-support) and works the same way for file parameters. See [Configuring Content Security Policy](https://www.jenkins.io/doc/book/security/configuring-content-security-policy) to learn more.\n\nEven when Jenkins is configured to serve files in workspaces and archived artifacts using the Resource Root URL (introduced in Jenkins 2.200), file parameters are not, and therefore still subject to `Content-Security-Policy` restrictions.
Metadata
Created: 2022-05-24T17:12:40Z
Modified: 2022-12-22T05:25:16Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-crg2-6xv3-qg5f/GHSA-crg2-6xv3-qg5f.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-crg2-6xv3-qg5f
Finding: F425
Auto approve: 1