GHSA-xxhf-xq6v-c8mj

Source

https://github.com/advisories/GHSA-xxhf-xq6v-c8mj

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/06/GHSA-xxhf-xq6v-c8mj/GHSA-xxhf-xq6v-c8mj.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-xxhf-xq6v-c8mj

Aliases

CVE-2022-34180

Published

2022-06-24T00:00:31Z

Modified

2024-02-16T08:13:57.543598Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

Improper authorization in Jenkins Embeddable Build Status Plugin bypasses ViewStatus permission requirement

Details

Embeddable Build Status Plugin 2.0.3 and earlier does not correctly perform the ViewStatus permission check in the HTTP endpoint it provides for \"unprotected\" status badge access.

This allows attackers without any permissions to obtain the build status badge icon for any attacker-specified job and/or build.

Embeddable Build Status Plugin 2.0.4 requires ViewStatus permission to obtain the build status badge icon.

Database specific

{
    "nvd_published_at": "2022-06-23T17:15:00Z",
    "cwe_ids": [
        "CWE-862",
        "CWE-863"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2022-07-05T22:59:57Z"
}

References

Affected packages

Maven / org.jenkins-ci.plugins:embeddable-build-status

Package

Name: org.jenkins-ci.plugins:embeddable-build-status; View open source insights on deps.dev
Purl: pkg:maven/org.jenkins-ci.plugins/embeddable-build-status

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.0.4

Affected versions

$%7Brevision%7D231.*

$%7Brevision%7D231.v678984136a_0b_

1.*

1.0

1.1

1.2

1.3

1.4

1.5

1.6

1.7

1.8

1.9

2.*

2.0-beta1

2.0-beta2

2.0

2.0.1

2.0.2

2.0.3