GHSA-93mx-2vf9-28c4

Source

https://github.com/advisories/GHSA-93mx-2vf9-28c4

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/06/GHSA-93mx-2vf9-28c4/GHSA-93mx-2vf9-28c4.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-93mx-2vf9-28c4

Aliases

CVE-2022-34179

Published

2022-06-24T00:00:31Z

Modified

2023-11-08T04:09:42.618934Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

Path Traversal vulnerability in Jenkins Embeddable Build Status Plugin

Details

Jenkins Embeddable Build Status Plugin 2.0.3 and earlier allows specifying a style query parameter that is used to choose a different SVG image style without restricting possible values, resulting in a relative path traversal vulnerability that allows attackers without Overall/Read permission to specify paths to other SVG images on the Jenkins controller file system.

Embeddable Build Status Plugin 2.0.4 restricts the style query parameter to one of the three legal values.

Database specific

{
    "nvd_published_at": "2022-06-23T17:15:00Z",
    "github_reviewed_at": "2022-07-05T22:59:51Z",
    "severity": "MODERATE",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-22"
    ]
}

References

Affected packages

Maven / org.jenkins-ci.plugins:embeddable-build-status

Package

Name: org.jenkins-ci.plugins:embeddable-build-status; View open source insights on deps.dev
Purl: pkg:maven/org.jenkins-ci.plugins/embeddable-build-status

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.0.4

Affected versions

$%7Brevision%7D231.*

$%7Brevision%7D231.v678984136a_0b_

1.*

1.0

1.1

1.2

1.3

1.4

1.5

1.6

1.7

1.8

1.9

2.*

2.0-beta1

2.0-beta2

2.0

2.0.1

2.0.2

2.0.3