Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS05M214LTJ2ZjktMjhjNM4AAs8b
Path Traversal vulnerability in Jenkins Embeddable Build Status Plugin
Jenkins Embeddable Build Status Plugin 2.0.3 and earlier allows specifying a style query parameter that is used to choose a different SVG image style without restricting possible values, resulting in a relative path traversal vulnerability that allows attackers without Overall/Read permission to specify paths to other SVG images on the Jenkins controller file system.
Embeddable Build Status Plugin 2.0.4 restricts the style query parameter to one of the three legal values.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS05M214LTJ2ZjktMjhjNM4AAs8b
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 2 years ago
Updated: over 1 year ago
CVSS Score: 5.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Identifiers: GHSA-93mx-2vf9-28c4, CVE-2022-34179
References:
- https://nvd.nist.gov/vuln/detail/CVE-2022-34179
- https://www.jenkins.io/security/advisory/2022-06-22/#SECURITY-2792
- https://github.com/jenkinsci/embeddable-build-status-plugin/commit/63f82f28d989d30a23089a0a66c11f222651a8c6
- https://github.com/advisories/GHSA-93mx-2vf9-28c4
Blast Radius: 1.0
Affected Packages
maven:org.jenkins-ci.plugins:embeddable-build-status
Affected Version Ranges: < 2.0.4Fixed in: 2.0.4