CVE-2022-43433

Name of the Vulnerable Software and Affected Versions Jenkins ScreenRecorder Plugin versions 0.7 and earlier

Description The issue concerns the Jenkins ScreenRecorder Plugin, which programmatically disables Content-Security-Policy protection for user-generated content in workspaces, archived artifacts, etc. that Jenkins offers for download. This is achieved by updating the Java system property, allowing administrators to customize the Content-Security-Policy header for static files served by Jenkins. As a result, this effectively disables all other directives in the default rule set, including script-src, making it possible for cross-site scripting (XSS) attacks by users with the ability to control files in workspaces, archived artifacts, etc.

Recommendations For Jenkins ScreenRecorder Plugin versions 0.7 and earlier, consider disabling the plugin until a patch is available to prevent cross-site scripting (XSS) attacks. As a temporary workaround, restrict access to user-generated content in workspaces, archived artifacts, etc. to minimize the risk of exploitation. Configure a Resource Root URL to prevent the vulnerability, as Jenkins instances with this configuration are unaffected.