CVE-2020-2173
MEDIUM6.1EPSS 0.16%XSS vulnerability in Jenkins Gatling Plugin
發布日:2022/5/24修改日:2023/11/8
描述
Gatling Plugin 1.2.7 and earlier serves Gatling reports in a manner that bypasses the `Content-Security-Policy` protection introduced in Jenkins 1.641 and 1.625.3. This results in a cross-site scripting (XSS) vulnerability exploitable by users able to change report content. Gatling Plugin 1.3.0 no longer allows viewing Gatling reports directly in Jenkins. Instead users need to download an archive containing the report.
受影響套件(1)
- Maven/org.jenkins-ci.plugins:gatlingfrom 0, < 1.3.0
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.1 | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
參考連結(5)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2020-2173
- PATCHttps://github.com/jenkinsci/gatling-plugin
- WEBhttps://github.com/jenkinsci/gatling-plugin/commit/8a9ae59c6b3328776d38af6596b35cef1ced05a7
- WEBhttps://jenkins.io/security/advisory/2020-04-07/#SECURITY-1633
- WEBhttp://www.openwall.com/lists/oss-security/2020/04/07/3