High severityNVD Advisory· Published Jun 22, 2022· Updated Aug 3, 2024

CVE-2022-34178

Description

Jenkins Embeddable Build Status Plugin 2.0.3 allows specifying a 'link' query parameter that build status badges will link to, without restricting possible values, resulting in a reflected cross-site scripting (XSS) vulnerability.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.jenkins-ci.plugins:embeddable-build-statusMaven	< 2.0.4	2.0.4

Affected products

Jenkins Project/Jenkins Embeddable Build Status Pluginv5
Range: 2.0.3

Patches

0fc4a1995063

[SECURITY-2567]

https://github.com/jenkinsci/embeddable-build-status-pluginDaniel BeckJun 15, 2022via ghsa

commit

1 file changed · +16 −2

src/main/java/org/jenkinsci/plugins/badge/StatusImage.java+16 −2 modified

@@ -7,6 +7,9 @@
 
 package org.jenkinsci.plugins.badge;
 
+import java.net.MalformedURLException;
+import java.util.logging.Level;
+import java.util.logging.Logger;
 import org.apache.commons.io.IOUtils;
 import jenkins.model.Jenkins;
 import org.kohsuke.stapler.HttpResponse;
@@ -44,6 +47,7 @@
  * can change any time, we use ETag to skip the actual data transfer if possible.
  */
 class StatusImage implements HttpResponse {
+    public static final Logger LOGGER = Logger.getLogger(StatusImage.class.getName());
     private final byte[] payload;
     private static final String PLGIN_NAME = "embeddable-build-status";
 
@@ -102,7 +106,7 @@ class StatusImage implements HttpResponse {
         if (animatedColorName != null) animatedColorName = StringEscapeUtils.escapeHtml(animatedColorName);
         if (colorName != null) colorName = StringEscapeUtils.escapeHtml(colorName);
         if (style != null) style = StringEscapeUtils.escapeHtml(style);
-        if (link != null) link = StringEscapeUtils.escapeHtml(link);
+        if (link != null) link = StringEscapeUtils.escapeHtml(StringEscapeUtils.escapeHtml(link)); // double-escape because concatenating into an attribute effectively removes one level of quoting
         
         if (baseUrl != null) {
             etag = Jenkins.RESOURCE_PATH + '/' + subject + status + colorName + animatedColorName + style;
@@ -167,7 +171,17 @@ class StatusImage implements HttpResponse {
             }
 
             if (link != null) {
-                linkCode = "<svg onclick=\"window.open('" + link + "');\" style=\"cursor: pointer;\" xmlns";
+                try {
+                    URL url = new URL(link);
+                    final String protocol = url.getProtocol();
+                    if (protocol.equals("http") || protocol.equals("https")) {
+                        linkCode = "<svg onclick=\"window.open(&quot;" + link + "&quot;);\" style=\"cursor: pointer;\" xmlns";
+                    } else {
+                        LOGGER.log(Level.FINE, "Invalid link protocol: " + protocol);
+                    }
+                } catch (MalformedURLException ex) {
+                    LOGGER.log(Level.FINE, "Invalid link URL: " + link, ex);
+                }
             }
 
             try {

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-39r3-h8q6-2phqghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2022-34178ghsaADVISORY
github.com/jenkinsci/embeddable-build-status-plugin/commit/0fc4a199506328b08dcd0aca572a2ca79ca38714ghsaWEB
www.jenkins.io/security/advisory/2022-06-22/ghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.006
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000