Description
Jenkins 2.227 and earlier, LTS 2.204.5 and earlier does not set Content-Security-Policy headers for files uploaded as file parameters to a build, resulting in a stored XSS vulnerability.
Remediation
References
http://www.openwall.com/lists/oss-security/2020/03/25/2
https://jenkins.io/security/advisory/2020-03-25/#SECURITY-1793
Related Vulnerabilities
CVE-2019-1003062 Vulnerability in maven package org.jenkins-ci.plugins:aws-cloudwatch-logs-publisher
CVE-2019-14863 Vulnerability in maven package org.webjars.bower:angular
CVE-2019-0219 Vulnerability in npm package cordova-plugin-inappbrowser
CVE-2021-41303 Vulnerability in maven package org.apache.shiro:shiro-core