CVE-2020-2214

Name of the Vulnerable Software and Affected Versions Jenkins ZAP Pipeline Plugin versions 1.9 and earlier Jenkins versions prior to 2.228 (excluding 2.227 and older, 2.204.5 and older, due to different security concerns) Jenkins versions 2.228 through 2.230 Jenkins 2.222.x LTS versions Jenkins 2.204.6 LTS version

Description The issue concerns the Jenkins ZAP Pipeline Plugin and Jenkins itself, where the plugin programmatically disables Content-Security-Policy protection for user-generated content. This allows cross-site scripting (XSS) attacks by users who can control files in workspaces, archived artifacts, etc. The Content-Security-Policy header is set by Jenkins for static files, but the ZAP Pipeline Plugin prior to version 1.10 globally disables this header. However, Jenkins instances with the Resource Root URL configured are largely unaffected, with exceptions related to file parameter downloads depending on the Jenkins version.

Recommendations For Jenkins ZAP Pipeline Plugin versions 1.9 and earlier: Update to version 1.10 or later. For Jenkins versions prior to 2.228: Consider upgrading to a version that is not affected by this vulnerability, taking into account other security concerns for versions 2.227 and older, 2.204.5 and older. For Jenkins versions 2.228 through 2.230: Upgrade to a version outside this range to mitigate the risk. For Jenkins 2.222.x LTS versions: Upgrade to a newer LTS version that includes the fix. For Jenkins 2.204.6 LTS version: Upgrade to a newer version to address this issue. As a temporary workaround, consider restricting access to user-generated content in workspaces and archived artifacts to minimize the risk of XSS attacks.