Description
Jenkins Embeddable Build Status Plugin 2.0.3 and earlier does not correctly perform the ViewStatus permission check in the HTTP endpoint it provides for "unprotected" status badge access, allowing attackers without any permissions to obtain the build status badge icon for any attacker-specified job and/or build.
Remediation
References
https://www.jenkins.io/security/advisory/2022-06-22/#SECURITY-2794
Related Vulnerabilities
CVE-2015-3250 Vulnerability in maven package org.apache.directory.api:api-ldap-model
CVE-2023-33005 Vulnerability in maven package org.jenkins-ci.plugins:wso2id-oauth
CVE-2021-36737 Vulnerability in maven package org.apache.portals.pluto.demo:v3-demo-portlet
CVE-2022-34798 Vulnerability in maven package org.jenkins-ci.plugins:ec2-deployment-dashboard
CVE-2021-46877 Vulnerability in maven package com.fasterxml.jackson.core:jackson-databind