CVE-2022-43434 Jenkins NeuVector Vulnerability Scanner Plugin 1.20 and earlier disables Content-Security-Policy protection for user-generated content.

This can be dangerous if a user uploads their own content to a shared hosting environment, for example. Users can turn off the content security policy in their web browser settings. In this case, Jenkins will allow any website to access and modify any of the user’s uploaded files. This can be especially dangerous for users of shared hosting, who may not even be aware of the settings change until it’s too late. This can be fixed by following the steps below. To prevent this from happening, you can configure your web server to reject any incoming requests with a Content-Security-Policy header of ‘default-src ‘none’;‘ and a similar header for any resources that allow user-generated content.

Configure Your Webserver To Block Access to Jenkins

You can configure the web server to reject any incoming requests with a Content-Security-Policy header of ‘default-src ‘none’;‘ and a similar header for any resources that allow user-generated content.
Jenkins is vulnerable to this type of attack if the default configuration for its web server is not properly configured. To prevent Jenkins from being exploited, make sure your web server only allows access to Jenkins from the local machine that it is running on by implementing a whitelist in Apache or IIS. You may also want to set up SSL certificates and use HTTPS instead of HTTP requests.

Configure Jenkins to block any requests with a

Content-Security-Policy header
Jenkins doesn’t require any configuration to prevent a user from uploading malicious files to the Jenkins server. This is because Jenkins uses the file extensions in its URL path to decide whether a request is allowed or not. For example, if the file extension of a request is ‘.php’, then it would be blocked. However, Jenkins can open a port for PHP requests and allow them to run if they are necessary.
In order to prevent this vulnerability from occurring, you can configure Jenkins with a Content Security Policy (CSP). The CSP will only allow certain content types that you specify to be served through your website.
To prevent this vulnerability from occurring:
1) Configure your web server with a default-src 'none'; directive and always deny access to any resources that allow user-generated content
2) Follow the steps below for more information about configuring your web server with an appropriate CSP.

Change the default csp header in Jenkins

On your Jenkins server, open the jenkins-config.xml file in a text editor. Locate the line that says "securitySettings.defaultCSPHeader" and change it to "default-src 'none';". Save and close the file.
If you’re using Docker, you can set this manually by changing all the default-src directives in your Jenkinsfile into ‘none’.

Check if content security policy is switched on

First, you can use a web browser to check if content security policy is switched on. You should see a green lock icon in the address bar. If you don’t see this, it means that the content security policy has been disabled and Jenkins will allow any website to access and modify any of the user’s uploaded files.
Next, you can check if content security policy is enabled on your Jenkins server by clicking on Manage Jenkins -> Configure System. Click Content Security Policy under Global Security Options.
If content security policy is not enabled, select Enable under Web Server Security and ensure the default-src 'none'; header is included in both the HTML response and any resources that allow user-generated content.

Timeline

Published on: 10/19/2022 16:15:00 UTC
Last modified on: 10/24/2022 13:56:00 UTC

References