Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2025/VULN344 _____________________________________________________________________ DATE : 10/06/2025 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Gatling Plugin for Jenkins versions up to and including 136.vb_9009b_3d33a_e. ===================================================================== https://www.jenkins.io/security/advisory/2025-06-06/ _____________________________________________________________________ Jenkins Security Advisory 2025-06-06 This advisory announces vulnerabilities in the following Jenkins deliverables: Gatling Plugin Descriptions XSS vulnerability in Gatling Plugin SECURITY-3588 / CVE-2025-5806 Severity (CVSS): High Affected plugin: gatling Description: Gatling Plugin 136.vb_9009b_3d33a_e serves Gatling reports in a manner that bypasses the Content-Security-Policy protection introduced in Jenkins 1.641 and 1.625.3. This results in a cross-site scripting (XSS) vulnerability exploitable by users able to change report content. As of publication of this advisory, there is no fix. Learn why we announce this. Affected users are advised to downgrade to version 1.3.0. The section "Affected Versions" below claims that earlier versions are affected as well. They are not. This presentation is a technical limitation of advisory pages on jenkins.io. Severity SECURITY-3588: High Affected Versions Gatling Plugin up to and including 136.vb_9009b_3d33a_e Fix As of publication of this advisory, no fixes are available for the following plugins: Gatling Plugin ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================