CVE-2020-2162: 
Java vulnerability analysis and mitigation

CVE-2020-2162 is a stored cross-site scripting (XSS) vulnerability affecting Jenkins versions 2.227 and earlier, and LTS 2.204.5 and earlier. The vulnerability was discovered by Phu X. Mai from the University of Luxembourg and was disclosed on March 25, 2020 (Jenkins Advisory).

The vulnerability stems from Jenkins not setting appropriate Content-Security-Policy HTTP headers when serving files uploaded as file parameters to a build. This security flaw affects files uploaded via file parameters, even when Jenkins is configured to serve files in workspaces and archived artifacts using the Resource Root URL (introduced in Jenkins 2.200). The severity of this vulnerability is rated as Medium according to the CVSS scoring system (Jenkins Advisory).

This vulnerability results in a stored cross-site scripting (XSS) vulnerability that can be exploited by users who have permissions to build a job with file parameters. The impact is limited to users with specific build permissions but could potentially allow attackers to execute malicious scripts in the context of other users' browsers (Jenkins Advisory).

The vulnerability was fixed in Jenkins weekly version 2.228 and Jenkins LTS versions 2.204.6 and 2.222.1. The fix implements Content-Security-Policy HTTP headers when serving files uploaded via file parameters, using the same value as used for files in workspaces and archived artifacts not served using the Resource Root URL. Administrators can override the Content-Security-Policy headers value using the system property hudson.model.DirectoryBrowserSupport.CSP (Jenkins Advisory).