GHSA-hv53-qjg6-5pm9
Suggest an improvement- Source
- https://github.com/advisories/GHSA-hv53-qjg6-5pm9
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-hv53-qjg6-5pm9/GHSA-hv53-qjg6-5pm9.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-hv53-qjg6-5pm9
- Aliases
- Published
- 2022-05-24T17:13:39Z
- Modified
- 2023-11-08T04:02:54.773Z
- Severity
-
- 6.1 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
- Summary
- XSS vulnerability in Jenkins Gatling Plugin
- Details
-
Gatling Plugin 1.2.7 and earlier serves Gatling reports in a manner that bypasses the
Content-Security-Policyprotection introduced in Jenkins 1.641 and 1.625.3. This results in a cross-site scripting (XSS) vulnerability exploitable by users able to change report content.Gatling Plugin 1.3.0 no longer allows viewing Gatling reports directly in Jenkins. Instead users need to download an archive containing the report.
- Database specific
{ "nvd_published_at": "2020-04-07T13:15:00Z", "github_reviewed_at": "2022-12-20T17:39:30Z", "severity": "MODERATE", "github_reviewed": true, "cwe_ids": [ "CWE-79" ] }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2020-2173
- https://github.com/jenkinsci/gatling-plugin/commit/8a9ae59c6b3328776d38af6596b35cef1ced05a7
- https://jenkins.io/security/advisory/2020-04-07/#SECURITY-1633
- http://www.openwall.com/lists/oss-security/2020/04/07/3
- ttps://github.com/jenkinsci/gatling-plugin
Affected packages
Maven / org.jenkins-ci.plugins:gatling
Package
- Name
- org.jenkins-ci.plugins:gatling
- View open source insights on deps.dev
- Purl
- pkg:maven/org.jenkins-ci.plugins/gatling
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed1.3.0