Relative Path Traversal Vulnerability in Jenkins Embeddable Build Status Plugin
CVE-2022-34179

7.5HIGH

Key Information:

Vendor: Jenkins
Status: Jenkins Embeddable Build Status Plugin
Vendor: CVE Published:; 22 June 2022

Summary

The Jenkins Embeddable Build Status Plugin versions up to 2.0.3 is susceptible to a relative path traversal vulnerability. This issue arises from the lack of restrictions on the style query parameter, which allows attackers to specify arbitrary paths to SVG images on the Jenkins controller file system. Importantly, this vulnerability can be exploited by users who lack Overall/Read permissions, enabling unauthorized access and manipulation of files on the system.

Affected Version(s)

Jenkins Embeddable Build Status Plugin <= 2.0.3

References

https://www.jenkins.io/security/advisory/2022-06-22/#SECU...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jun 22, 2022
Vulnerability Reserved
Jun 21, 2022