CVE-2022-43432

The Jenkins XFramium Builder Plugin prior to version 1.0.23 programmatically disables Content-Security-Policy (CSP) protection for user-generated content that Jenkins offers for download, such as files in workspaces and archived artifacts [1][3]. This means that the plugin explicitly drops the security headers that would otherwise help prevent cross-site scripting (XSS) attacks by restricting the sources from which content can be loaded.

An attacker who can provide malicious content that gets stored in a workspace or archived artifact can have it served without CSP protections [2]. When a victim (another user with access to the Jenkins instance) accesses this content, the lack of CSP allows arbitrary script execution in the context of the Jenkins web interface. No authentication beyond that needed to place content in a workspace or archive is required for the attacker; however, the attack depends on a victim user visiting the crafted content.

The impact is that an attacker can achieve stored cross-site scripting (XSS). This can lead to session hijacking, credential theft, or arbitrary actions performed in the context of the victim's Jenkins session [1]. The severity is rated as high (CVSS 3.1 score not specified in the provided references, but the advisory lists similar high-severity issues).

Jenkins has released advisory SECURITY-2863 and plugin maintainers have addressed the issue in version 1.0.23 of the XFramium Builder Plugin [1][4]. Users are strongly advised to upgrade to the latest plugin version. There is no known workaround other than upgrading, as the plugin's code must be fixed to re-enable CSP headers.