Описание
XSS vulnerability in Jenkins Gatling Plugin
Gatling Plugin 1.2.7 and earlier serves Gatling reports in a manner that bypasses the Content-Security-Policy protection introduced in Jenkins 1.641 and 1.625.3. This results in a cross-site scripting (XSS) vulnerability exploitable by users able to change report content.
Gatling Plugin 1.3.0 no longer allows viewing Gatling reports directly in Jenkins. Instead users need to download an archive containing the report.
Пакеты
Наименование
org.jenkins-ci.plugins:gatling
maven
Затронутые версииВерсия исправления
<= 1.2.7
1.3.0
Связанные уязвимости
CVSS3: 5.4
nvd
почти 6 лет назад
Jenkins Gatling Plugin 1.2.7 and earlier prevents Content-Security-Policy headers from being set for Gatling reports served by the plugin, resulting in an XSS vulnerability exploitable by users able to change report content.