vulnerability

Jenkins Advisory 2022-06-22: CVE-2022-34180: Improper authorization in Embeddable Build Status Plugin bypasses ViewStatus permission requirement

Try Surface Command

Back to search

Severity

CVSS

(AV:N/AC:L/Au:N/C:P/I:N/A:N)

Published

Jun 23, 2022

Added

Jul 12, 2022

Modified

Mar 27, 2026

Description

Jenkins Embeddable Build Status Plugin 2.0.3 and earlier does not correctly perform the ViewStatus permission check in the HTTP endpoint it provides for "unprotected" status badge access, allowing attackers without any permissions to obtain the build status badge icon for any attacker-specified job and/or build.

Solutions

jenkins-lts-upgrade-2_332_4jenkins-upgrade-2_356

References

CVE-2022-34180
https://attackerkb.com/topics/CVE-2022-34180
CWE-863
EUVD-EUVD-2022-6198
https://euvd.enisa.europa.eu/vulnerability/EUVD-2022-6198
https://jenkins.io/security/advisory/2022-06-22/

Rapid7 Labs

2026 Global Threat Landscape Report

The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.

Get report