CVE-2024-23905: 
Java vulnerability analysis and mitigation

CVE-2024-23905 affects the Jenkins Red Hat Dependency Analytics Plugin versions 0.7.1 and earlier. The vulnerability was discovered and reported by Pierre Beitz from CloudBees, Inc. and was disclosed on January 24, 2024. The vulnerability involves the plugin programmatically disabling Content-Security-Policy protection for user-generated content in workspaces, archived artifacts, and other content that Jenkins offers for download (Jenkins Advisory).

The vulnerability occurs when the plugin globally disables the Content-Security-Policy header for static files served by Jenkins (specifically DirectoryBrowserSupport), such as workspaces, /userContent, or archived artifacts. This behavior is triggered whenever the 'Invoke Red Hat Dependency Analytics (RHDA)' build step is executed. The vulnerability has been assigned a CVSS severity rating of High (Jenkins Advisory).

This vulnerability enables cross-site scripting (XSS) attacks by users who have the ability to control files in workspaces, archived artifacts, and other content. However, Jenkins instances with Resource Root URL configured are not affected by this vulnerability (Jenkins Advisory).

The vulnerability has been fixed in Red Hat Dependency Analytics Plugin version 0.9.0, which no longer disables the Content-Security-Policy header for static files served by Jenkins. Users are advised to upgrade to this version to mitigate the vulnerability (Jenkins Advisory).