CVE-2025-5806
BaseFortify
Publication date: 2025-06-06
Last updated on: 2025-09-17
Assigner: Jenkins Project
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| jenkins | gatling | to 136.vb_9009b_3d33a_e (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a cross-site scripting (XSS) flaw in the Jenkins Gatling Plugin version 136.vb_9009b_3d33a_e and earlier. It occurs because the plugin serves Gatling reports in a way that bypasses the Content-Security-Policy (CSP) protections introduced in Jenkins versions 1.641 and 1.625.3. This allows users who can modify report content to exploit the XSS vulnerability. [1]
How can this vulnerability impact me? :
The vulnerability can lead to a high-severity impact including unauthorized script execution in the context of the Jenkins web interface. This can result in compromise of confidentiality, integrity, and availability of the Jenkins environment, as indicated by the CVSS score with high impact on confidentiality, integrity, and availability. Attackers able to modify report content can exploit this to execute malicious scripts. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is a cross-site scripting (XSS) issue in the Jenkins Gatling Plugin version 136.vb_9009b_3d33a_e and earlier, which serves Gatling reports bypassing Content-Security-Policy protections. Detection involves verifying the plugin version installed on your Jenkins instance. Since the vulnerability requires the ability to modify report content, checking for the presence of the vulnerable plugin version is key. There are no specific network or system commands provided to detect exploitation attempts or the vulnerability itself. You can check the installed plugin version via Jenkins UI or by running Jenkins CLI commands such as: 'java -jar jenkins-cli.jar -s http://your-jenkins/ list-plugins | grep gatling' to identify the Gatling Plugin version. [1]
What immediate steps should I take to mitigate this vulnerability?
Since no fix is currently available for this vulnerability, the immediate mitigation step is to downgrade the Gatling Plugin to version 1.3.0, which is not affected by this vulnerability. Additionally, restrict the ability to modify Gatling report content to trusted users only, as exploitation requires such privileges. [1]