CVE-2022-43435

Name of the Vulnerable Software and Affected Versions Jenkins 360 FireLine Plugin versions 1.7.2 and earlier

Description The issue concerns the Jenkins 360 FireLine Plugin, which programmatically disables Content-Security-Policy protection for user-generated content in workspaces, archived artifacts, etc. that Jenkins offers for download. This allows cross-site scripting (XSS) attacks by users with the ability to control files in workspaces, archived artifacts, etc. when the 'Execute FireLine' build step is executed and the option 'Open access to HTML with JS or CSS' is checked. Jenkins instances with a Resource Root URL configured are unaffected.

Recommendations For Jenkins 360 FireLine Plugin versions 1.7.2 and earlier, consider disabling the 'Open access to HTML with JS or CSS' option in the 'Execute FireLine' build step to minimize the risk of exploitation. Additionally, avoid using the DirectoryBrowserSupport for serving static files until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.