CVE-2022-34180

Опубликовано: 23 июн. 2022

Источник: nvd

CVSS3: 7.5

CVSS2: 5

EPSS Низкий

Описание

Jenkins Embeddable Build Status Plugin 2.0.3 and earlier does not correctly perform the ViewStatus permission check in the HTTP endpoint it provides for "unprotected" status badge access, allowing attackers without any permissions to obtain the build status badge icon for any attacker-specified job and/or build.

Ссылки

https://www.jenkins.io/security/advisory/2022-06-22/#SECURITY-2794
Vendor Advisory
https://www.jenkins.io/security/advisory/2022-06-22/#SECURITY-2794
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:jenkins:embeddable_build_status:*:*:*:*:*:jenkins:*:*

Версия до 2.0.3 (включая)

EPSS

Процентиль: 70%

0.00648

Низкий

7.5 High

CVSS3

5 Medium

CVSS2

Дефекты

CWE-863

Связанные уязвимости

GHSA-xxhf-xq6v-c8mj

CVSS3: 5.3

github

около 3 лет назад

Improper authorization in Jenkins Embeddable Build Status Plugin bypasses ViewStatus permission requirement