Vulnerabilities > CVE-2022-34180 - Incorrect Authorization vulnerability in Jenkins Embeddable Build Status

CVSS 7.5 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

NONE

Availability impact

NONE

network

low complexity

jenkins

CWE-863

NVD

Published: 2022-06-23

Updated: 2023-11-03

Summary

Jenkins Embeddable Build Status Plugin 2.0.3 and earlier does not correctly perform the ViewStatus permission check in the HTTP endpoint it provides for "unprotected" status badge access, allowing attackers without any permissions to obtain the build status badge icon for any attacker-specified job and/or build.

Vulnerable Configurations

Part	Description	Count
Application	Jenkins Jenkins Embeddable Build Status 1.0 Jenkins Embeddable Build Status 1.1 Jenkins Embeddable Build Status 1.2 Jenkins Embeddable Build Status 1.3 Jenkins Embeddable Build Status 1.4 Jenkins Embeddable Build Status 1.5 Jenkins Embeddable Build Status 1.6 Jenkins Embeddable Build Status 1.7 Jenkins Embeddable Build Status 1.8 Jenkins Embeddable Build Status 1.9 Jenkins Embeddable Build Status 2.0 Jenkins Embeddable Build Status 2.0.1 Jenkins Embeddable Build Status 2.0.2 Jenkins Embeddable Build Status 2.0.3	16

Common Weakness Enumeration (CWE)

CWE-863 - Incorrect Authorization

References

https://www.jenkins.io/security/advisory/2022-06-22/#SECURITY-2794