Moderate severityNVD Advisory· Published Jun 22, 2022· Updated Aug 3, 2024

CVE-2022-34180

Description

Jenkins Embeddable Build Status Plugin 2.0.3 and earlier does not correctly perform the ViewStatus permission check in the HTTP endpoint it provides for "unprotected" status badge access, allowing attackers without any permissions to obtain the build status badge icon for any attacker-specified job and/or build.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.jenkins-ci.plugins:embeddable-build-statusMaven	< 2.0.4	2.0.4

Affected products

Jenkins Project/Jenkins Embeddable Build Status Pluginv5
Range: unspecified

Patches

402148784b3f

[SECURITY-2794]

https://github.com/jenkinsci/embeddable-build-status-pluginDaniel BeckJun 21, 2022via ghsa

commit

1 file changed · +10 −4

src/main/java/org/jenkinsci/plugins/badge/actions/PublicBuildStatusAction.java+10 −4 modified

@@ -134,8 +134,11 @@ public String doText(StaplerRequest req, StaplerResponse rsp, @QueryParameter St
         }
 
         // check if user has permission to view the status
-        if(throwErrorWhenNotFound && (p == null || !p.hasPermission(VIEW_STATUS))){
-            throw HttpResponses.notFound();            
+        if (p == null || !p.hasPermission(VIEW_STATUS)) {
+            if (throwErrorWhenNotFound) {
+                throw HttpResponses.notFound();
+            }
+            return null;
         }
         
         return p;
@@ -180,8 +183,11 @@ public String doText(StaplerRequest req, StaplerResponse rsp, @QueryParameter St
             }    
         }
         // check if user has permission to view the status
-        if(throwErrorWhenNotFound && (run == null || !run.hasPermission(VIEW_STATUS))){
-            throw HttpResponses.notFound();
+        if (run == null || !run.hasPermission(VIEW_STATUS)) {
+            if (throwErrorWhenNotFound) {
+                throw HttpResponses.notFound();
+            }
+            return null;
         }
 
         return run;

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-xxhf-xq6v-c8mjghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2022-34180ghsaADVISORY
github.com/jenkinsci/embeddable-build-status-plugin/commit/402148784b3f4b029eaf47cc26ebf6b9bc636183ghsaWEB
www.jenkins.io/security/advisory/2022-06-22/ghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000