Description

Jenkins Embeddable Build Status Plugin 2.0.3 and earlier does not correctly perform the ViewStatus permission check in the HTTP endpoint it provides for "unprotected" status badge access, allowing attackers without any permissions to obtain the build status badge icon for any attacker-specified job and/or build.

Remediation

References

https://www.jenkins.io/security/advisory/2022-06-22/#SECURITY-2794

Related Vulnerabilities

CVE-2019-10241 Vulnerability in maven package org.eclipse.jetty:jetty-util

CVE-2009-0781 Vulnerability in maven package org.apache.tomcat:catalina

CVE-2007-5333 Vulnerability in maven package org.apache.tomcat.embed:tomcat-embed-core

CVE-2015-5348 Vulnerability in maven package org.apache.camel:camel-jetty9

CVE-2023-32695 Vulnerability in npm package socket.io-parser

Severity

High

Classification

CWE-863 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Tags

Vendor Advisory