Description

Jenkins Embeddable Build Status Plugin 2.0.3 and earlier does not correctly perform the ViewStatus permission check in the HTTP endpoint it provides for "unprotected" status badge access, allowing attackers without any permissions to obtain the build status badge icon for any attacker-specified job and/or build.

Remediation

References

https://www.jenkins.io/security/advisory/2022-06-22/#SECURITY-2794

Related Vulnerabilities

CVE-2020-36320 Vulnerability in maven package com.vaadin:vaadin-server

CVE-2023-29508 Vulnerability in maven package org.xwiki.platform:xwiki-platform-livedata-macro

CVE-2018-14042 Vulnerability in maven package org.webjars.bowergithub.twbs:bootstrap

CVE-2016-3088 Vulnerability in maven package org.apache.activemq:apache-activemq

CVE-2012-0047 Vulnerability in maven package org.apache.wicket:wicket

Severity

High

Classification

CWE-863 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Tags

Vendor Advisory