CVE-2020-2173 – org.jenkins-ci.plugins:gatling

Package

Manager: maven
Name: org.jenkins-ci.plugins:gatling
Vulnerable Version: >=0 <1.3.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00156 pctl0.36922

Details

XSS vulnerability in Jenkins Gatling Plugin Gatling Plugin 1.2.7 and earlier serves Gatling reports in a manner that bypasses the `Content-Security-Policy` protection introduced in Jenkins 1.641 and 1.625.3. This results in a cross-site scripting (XSS) vulnerability exploitable by users able to change report content. Gatling Plugin 1.3.0 no longer allows viewing Gatling reports directly in Jenkins. Instead users need to download an archive containing the report.

Metadata

Created: 2022-05-24T17:13:39Z
Modified: 2022-12-20T17:39:30Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-hv53-qjg6-5pm9/GHSA-hv53-qjg6-5pm9.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-hv53-qjg6-5pm9
Finding: F425
Auto approve: 1