CVE-2022-34180

First published: Wed Jun 22 2022(Updated: )

Embeddable Build Status Plugin 2.0.3 and earlier does not correctly perform the ViewStatus permission check in the HTTP endpoint it provides for \"unprotected\" status badge access. This allows attackers without any permissions to obtain the build status badge icon for any attacker-specified job and/or build. Embeddable Build Status Plugin 2.0.4 requires ViewStatus permission to obtain the build status badge icon.

Credit: jenkinsci-cert@googlegroups.com jenkinsci-cert@googlegroups.com jenkinsci-cert@googlegroups.com

Affected Software	Affected Version	How to fix
Jenkins Embeddable Build Status	<=2.0.3

Never miss a vulnerability like this again

Reference Links

https://www.jenkins.io/security/advisory/2022-06-22/#SECURITY-2794

collector/github-advisory-latest
alias/GHSA-xxhf-xq6v-c8mj
alias/CVE-2022-34180
collector/nvd-index
collector/nvd-cve
collector/nvd-api
agent/author
agent/type
agent/event
agent/last-modified-date
agent/first-publish-date
agent/weakness
agent/references
agent/severity
agent/softwarecombine
agent/description
agent/tags
collector/mitre-cve
source/MITRE
package-manager/maven
vendor/jenkins
canonical/jenkins embeddable build status
version/jenkins embeddable build status/2.0.3

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.