CVE-2022-34180

Name of the Vulnerable Software and Affected Versions Jenkins Embeddable Build Status Plugin versions 2.0.3 and earlier

Description The issue concerns the incorrect performance of the ViewStatus permission check in the HTTP endpoint provided for "unprotected" status badge access. This allows attackers without any permissions to obtain the build status badge icon for any attacker-specified job and/or build.

Recommendations For Jenkins Embeddable Build Status Plugin versions 2.0.3 and earlier, update to version 2.0.4 or later, which requires ViewStatus permission to obtain the build status badge icon. As a temporary workaround, consider restricting access to the HTTP endpoint for "unprotected" status badge access until a patch is available.