CVE-2022-43432

Name of the Vulnerable Software and Affected Versions Jenkins XFramium Builder Plugin versions 1.0.22 and earlier

Description The issue allows cross-site scripting (XSS) attacks by users with the ability to control files in workspaces, archived artifacts, etc. This is because the Jenkins XFramium Builder Plugin programmatically disables Content-Security-Policy protection for user-generated content. The Content-Security-Policy header is normally set by Jenkins for static files served by Jenkins, such as workspaces, /userContent, or archived artifacts, unless a Resource Root URL is specified. However, the XFramium Builder Plugin globally disables this header, making it possible for attackers to exploit this weakness.

Recommendations For Jenkins XFramium Builder Plugin versions 1.0.22 and earlier, consider disabling the plugin until a patch is available to prevent cross-site scripting attacks. Restrict access to user-generated content in workspaces and archived artifacts to minimize the risk of exploitation. If possible, configure a Resource Root URL for Jenkins instances to prevent the global disabling of the Content-Security-Policy header.