CVE-2024-23905

Name of the Vulnerable Software and Affected Versions Jenkins Red Hat Dependency Analytics Plugin versions 0.7.1 and earlier

Description The issue is related to the lack of Content-Security-Policy protection for user-generated content in workspaces, archived artifacts, etc. that Jenkins offers for download. This allows a remote attacker to perform cross-site scripting (XSS) attacks with the possibility of managing files in workspaces. The Red Hat Dependency Analytics Plugin programmatically disables Content-Security-Policy protection for user-generated content when the 'Invoke Red Hat Dependency Analytics (RHDA)' build step is executed.

Recommendations For Jenkins Red Hat Dependency Analytics Plugin versions 0.7.1 and earlier, consider disabling the 'Invoke Red Hat Dependency Analytics (RHDA)' build step until a patch is available to prevent the disabling of Content-Security-Policy protection. Restrict access to user-generated content in workspaces and archived artifacts to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.