Description
Jenkins Embeddable Build Status Plugin 2.0.3 and earlier does not correctly perform the ViewStatus permission check in the HTTP endpoint it provides for "unprotected" status badge access, allowing attackers without any permissions to obtain the build status badge icon for any attacker-specified job and/or build.
Remediation
References
https://www.jenkins.io/security/advisory/2022-06-22/#SECURITY-2794
Related Vulnerabilities
CVE-2015-2080 Vulnerability in maven package org.eclipse.jetty:jetty-http
CVE-2017-16153 Vulnerability in npm package gaoxuyan
CVE-2018-1000863 Vulnerability in maven package org.jenkins-ci.main:jenkins-core
CVE-2023-36470 Vulnerability in maven package org.xwiki.platform:xwiki-platform-icon-ui
CVE-2017-1000391 Vulnerability in maven package org.jenkins-ci.main:jenkins-core