CVE-2022-34180

CWE-863 — Incorrect Authorization CWE-862 — Missing Authorization5 documents5 sources

Severity

7.5HIGH

EPSS

0.6%

top 31.77%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins Project Jenkins Embeddable Build Status Plugin Jenkins Embeddable Build Status

Timeline

PublishedJun 23

Latest updateJun 24

Description

Jenkins Embeddable Build Status Plugin 2.0.3 and earlier does not correctly perform the ViewStatus permission check in the HTTP endpoint it provides for "unprotected" status badge access, allowing attackers without any permissions to obtain the build status badge icon for any attacker-specified job and/or build.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶Mavenorg.jenkins-ci.plugins:embeddable-build-status< 2.0.4

▶CVEListV5jenkins_project/jenkins_embeddable_build_status_pluginunspecified — 2.0.3

▶NVDjenkins/embeddable_build_status2.0.3

🔴Vulnerability Details

GHSA

Improper authorization in Jenkins Embeddable Build Status Plugin bypasses ViewStatus permission requirement↗2022-06-24

▶

OSV

Improper authorization in Jenkins Embeddable Build Status Plugin bypasses ViewStatus permission requirement↗2022-06-24

▶

CVEList

CVE-2022-34180: Jenkins Embeddable Build Status Plugin 2↗2022-06-22

▶

📋Vendor Advisories

Jenkins

Jenkins Security Advisory 2022-06-22↗2022-06-22

▶