Jenkins sets the Content-Security-Policy header to static files served by Jenkins (specifically DirectoryBrowserSupport), such as workspaces, /userContent, or archived artifacts, unless a Resource Root URL is specified.

NeuVector Vulnerability Scanner Plugin 1.20 and earlier globally disables the Content-Security-Policy header for static files served by Jenkins whenever the 'NeuVector Vulnerability Scanner' build step is executed. This allows cross-site scripting (XSS) attacks by users with the ability to control files in workspaces, archived artifacts, etc.

Jenkins instances with Resource Root URL configured are unaffected.

References

• https://nvd.nist.gov/vuln/detail/CVE-2022-43434
• https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2865
• http://www.openwall.com/lists/oss-security/2022/10/19/3
• jenkinsci/neuvector-vulnerability-scanner-plugin@e0a7237