CVE-2020-2173: 
Java vulnerability analysis and mitigation

Jenkins Gatling Plugin versions 1.2.7 and earlier contain a security vulnerability (CVE-2020-2173) that was discovered and disclosed in April 2020. The vulnerability affects the plugin's handling of Content-Security-Policy headers when serving Gatling reports, potentially exposing users to cross-site scripting (XSS) attacks (Jenkins Advisory, NVD).

The vulnerability stems from the plugin's implementation that prevents Content-Security-Policy headers from being set for Gatling reports served by the plugin. This bypasses the Content-Security-Policy protection that was introduced in Jenkins versions 1.641 and 1.625.3. The vulnerability has been assigned a CVSS v3.1 Base Score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N (NVD).

The vulnerability results in a cross-site scripting (XSS) vulnerability that can be exploited by users who have the ability to modify report content. This could potentially allow attackers to execute malicious scripts in the context of other users' browsers who view the affected Gatling reports (Jenkins Advisory).

The vulnerability has been fixed in Gatling Plugin version 1.3.0. In this version, the plugin no longer allows viewing Gatling reports directly in Jenkins. Instead, users need to download an archive containing the report. Organizations using affected versions should upgrade to version 1.3.0 or later to address this security issue (Jenkins Advisory).

The vulnerability was discovered and reported by Daniel Beck of CloudBees, Inc., highlighting the active security research within the Jenkins community (Jenkins Advisory).