CVE-2022-43434

描述

Jenkins sets the Content-Security-Policy header to static files served by Jenkins (specifically `DirectoryBrowserSupport`), such as workspaces, `/userContent`, or archived artifacts, unless a Resource Root URL is specified. NeuVector Vulnerability Scanner Plugin 1.20 and earlier globally disables the `Content-Security-Policy` header for static files served by Jenkins whenever the 'NeuVector Vulnerability Scanner' build step is executed. This allows cross-site scripting (XSS) attacks by users with the ability to control files in workspaces, archived artifacts, etc. Jenkins instances with [Resource Root URL](https://www.jenkins.io/doc/book/security/user-content/#resource-root-url) configured are unaffected.

如何修補 CVE-2022-43434

要修補 CVE-2022-43434,請將受影響套件升級到下列已修補版本。

• —升級至 1.22 或更新版本

CVE-2022-43434 正在被利用嗎?

低 — EPSS 為 1.1%,目前沒有觀察到大規模利用活動。

受影響套件(1)

• from 0, < 1.22

CVSS 分數

參考連結(5)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-43434
• PATCHgithub.com/jenkinsci/neuvector-vulnerability-scanner-plugin
• WEBgithub.com/jenkinsci/neuvector-vulnerability-scanner-plugin/commit/e0a72373ef1c20c41b8eb086883a7090cf04809c
• WEBwww.jenkins.io/security/advisory/2022-10-19/#SECURITY-2865