CVE-2020-2173 — XSS vulnerability in Jenkins Gatling Plugin

Description

Gatling Plugin 1.2.7 and earlier serves Gatling reports in a manner that bypasses the `Content-Security-Policy` protection introduced in Jenkins 1.641 and 1.625.3. This results in a cross-site scripting (XSS) vulnerability exploitable by users able to change report content. Gatling Plugin 1.3.0 no longer allows viewing Gatling reports directly in Jenkins. Instead users need to download an archive containing the report.

How to fix CVE-2020-2173

To remediate CVE-2020-2173, upgrade the affected package to a fixed version below.

—upgrade to 1.3.0 or later

Is CVE-2020-2173 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 1.3.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.1	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-2173
PATCHgithub.com/jenkinsci/gatling-plugin
WEBgithub.com/jenkinsci/gatling-plugin/commit/8a9ae59c6b3328776d38af6596b35cef1ced05a7
WEBjenkins.io/security/advisory/2020-04-07/#SECURITY-1633