Description
Jenkins ZAP Pipeline Plugin 1.9 and earlier programmatically disables Content-Security-Policy protection for user-generated content in workspaces, archived artifacts, etc. that Jenkins offers for download.
Remediation
References
https://jenkins.io/security/advisory/2020-07-02/#SECURITY-1811
http://www.openwall.com/lists/oss-security/2020/07/02/7
Related Vulnerabilities
CVE-2012-5886 Vulnerability in maven package org.apache.tomcat.embed:tomcat-embed-core
CVE-2020-1724 Vulnerability in maven package org.keycloak:keycloak-services
CVE-2021-38555 Vulnerability in maven package org.apache.any23:apache-any23-core
CVE-2022-41249 Vulnerability in maven package com.meowlomo.jenkins:scm-httpclient
CVE-2023-36478 Vulnerability in maven package org.eclipse.jetty.http3:http3-qpack