Description

Jenkins Embeddable Build Status Plugin 2.0.3 and earlier does not correctly perform the ViewStatus permission check in the HTTP endpoint it provides for "unprotected" status badge access, allowing attackers without any permissions to obtain the build status badge icon for any attacker-specified job and/or build.

Remediation

References

https://www.jenkins.io/security/advisory/2022-06-22/#SECURITY-2794

Related Vulnerabilities

CVE-2019-17558 Vulnerability in maven package org.apache.solr:solr-velocity

CVE-2020-28052 Vulnerability in maven package org.bouncycastle:bcprov-ext-jdk15on

CVE-2019-1003042 Vulnerability in maven package org.6wind.jenkins:lockable-resources

CVE-2022-34786 Vulnerability in maven package org.jenkins-ci.plugins:rich-text-publisher-plugin

CVE-2023-24443 Vulnerability in maven package org.jenkins-ci.plugins:testcomplete

Severity

High

Classification

CWE-863 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Tags

Vendor Advisory