Moderate severityNVD Advisory· Published Jun 22, 2022· Updated Aug 3, 2024

CVE-2022-34179

Description

Jenkins Embeddable Build Status Plugin 2.0.3 and earlier allows specifying a style query parameter that is used to choose a different SVG image style without restricting possible values, resulting in a relative path traversal vulnerability that allows attackers without Overall/Read permission to specify paths to other SVG images on the Jenkins controller file system.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.jenkins-ci.plugins:embeddable-build-statusMaven	< 2.0.4	2.0.4

Affected products

Jenkins Project/Jenkins Embeddable Build Status Pluginv5
Range: unspecified

Patches

63f82f28d989

[SECURITY-2792]

https://github.com/jenkinsci/embeddable-build-status-pluginDaniel BeckJun 21, 2022via ghsa

commit

1 file changed · +2 −2

src/main/java/org/jenkinsci/plugins/badge/StatusImage.java+2 −2 modified

@@ -8,6 +8,7 @@
 package org.jenkinsci.plugins.badge;
 
 import java.net.MalformedURLException;
+import java.util.Arrays;
 import java.util.logging.Level;
 import java.util.logging.Logger;
 import org.apache.commons.io.IOUtils;
@@ -105,13 +106,12 @@ class StatusImage implements HttpResponse {
         if (status != null) status = StringEscapeUtils.escapeHtml(status);
         if (animatedColorName != null) animatedColorName = StringEscapeUtils.escapeHtml(animatedColorName);
         if (colorName != null) colorName = StringEscapeUtils.escapeHtml(colorName);
-        if (style != null) style = StringEscapeUtils.escapeHtml(style);
         if (link != null) link = StringEscapeUtils.escapeHtml(StringEscapeUtils.escapeHtml(link)); // double-escape because concatenating into an attribute effectively removes one level of quoting
         
         if (baseUrl != null) {
             etag = Jenkins.RESOURCE_PATH + '/' + subject + status + colorName + animatedColorName + style;
     
-            if (style == null) {
+            if (style == null || !Arrays.asList("flat-square", "plastic").contains(style)) { // explicitly list allowed values for SECURITY-2792
                 style = "flat";
             }

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-93mx-2vf9-28c4ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2022-34179ghsaADVISORY
github.com/jenkinsci/embeddable-build-status-plugin/commit/63f82f28d989d30a23089a0a66c11f222651a8c6ghsaWEB
www.jenkins.io/security/advisory/2022-06-22/ghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000