CVE-2020-2173

Name of the Vulnerable Software and Affected Versions Jenkins Gatling Plugin versions 1.2.7 and earlier

Description The issue results in a cross-site scripting (XSS) vulnerability, which is exploitable by users able to change report content. This occurs because the plugin prevents Content-Security-Policy headers from being set for Gatling reports, effectively bypassing the Content-Security-Policy protection introduced in certain Jenkins versions.

Recommendations For versions 1.2.7 and earlier, consider updating to version 1.3.0 or later, which no longer allows viewing Gatling reports directly in Jenkins, thereby mitigating the risk of exploitation. As a temporary workaround, consider restricting access to the Gatling reports served by the plugin until a patch is available.