CVE-2025-5806

Name
CVE-2025-5806
Description
Jenkins Gatling Plugin 136.vb_9009b_3d33a_e serves Gatling reports in a manner that bypasses the Content-Security-Policy protection introduced in Jenkins 1.641 and 1.625, resulting in a cross-site scripting (XSS) vulnerability exploitable by users able to change report content.
NVD Severity
unknown
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
vendor-advisory https://www.jenkins.io/security/advisory/2025-06-06/#SECURITY-3588
af854a3a-2127-422b-91ae-364da2661108 http://www.openwall.com/lists/oss-security/2025/06/06/8

Match rules

CPE URI Source package Min version Max version
jenkins-gatling-plugin == 136.vb_9009b_3d33a_e == 136.vb_9009b_3d33a_e
cpe:2.3:a:jenkins:gatling:*:*:*:*:*:jenkins:*:* jenkins >= None <= 136.vb_9009b_3d33a_e

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
jenkins edge-community 2.479.1-r0 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable
jenkins edge-community 2.479.1-r1 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable
jenkins edge-community 2.516.1-r0 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable
jenkins 3.22-community 2.479.1-r0 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable
jenkins 3.22-community 2.479.1-r1 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable