Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1odjUzLXFqZzYtNXBtOc4AAkKl
XSS vulnerability in Jenkins Gatling Plugin
Gatling Plugin 1.2.7 and earlier serves Gatling reports in a manner that bypasses the Content-Security-Policy protection introduced in Jenkins 1.641 and 1.625.3. This results in a cross-site scripting (XSS) vulnerability exploitable by users able to change report content.
Gatling Plugin 1.3.0 no longer allows viewing Gatling reports directly in Jenkins. Instead users need to download an archive containing the report.
Permalink: https://github.com/advisories/GHSA-hv53-qjg6-5pm9JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1odjUzLXFqZzYtNXBtOc4AAkKl
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 2 years ago
Updated: about 1 year ago
CVSS Score: 6.1
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Identifiers: GHSA-hv53-qjg6-5pm9, CVE-2020-2173
References:
- https://nvd.nist.gov/vuln/detail/CVE-2020-2173
- https://jenkins.io/security/advisory/2020-04-07/#SECURITY-1633
- http://www.openwall.com/lists/oss-security/2020/04/07/3
- https://github.com/jenkinsci/gatling-plugin/commit/8a9ae59c6b3328776d38af6596b35cef1ced05a7
- https://github.com/advisories/GHSA-hv53-qjg6-5pm9
Blast Radius: 1.0
Affected Packages
maven:org.jenkins-ci.plugins:gatling
Affected Version Ranges: <= 1.2.7Fixed in: 1.3.0