CVE-2022-43434

Name of the Vulnerable Software and Affected Versions Jenkins NeuVector Vulnerability Scanner Plugin versions 1.20 and earlier

Description The issue allows cross-site scripting (XSS) attacks by users with the ability to control files in workspaces, archived artifacts, etc. This is because the NeuVector Vulnerability Scanner Plugin programmatically disables Content-Security-Policy protection for user-generated content in these areas. Jenkins instances with a Resource Root URL configured are unaffected.

Recommendations For Jenkins NeuVector Vulnerability Scanner Plugin versions 1.20 and earlier, consider disabling the plugin until a patch is available to prevent cross-site scripting attacks. Restrict access to user-generated content in workspaces and archived artifacts to minimize the risk of exploitation. Avoid using the DirectoryBrowserSupport feature in Jenkins until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.