CVE-2022-34179
📋 TL;DR
The Jenkins Embeddable Build Status Plugin before version 2.0.4 has a path traversal vulnerability that allows attackers without proper permissions to access arbitrary SVG files on the Jenkins controller file system. Attackers can exploit this by manipulating the 'style' query parameter to read sensitive files. All Jenkins instances using vulnerable plugin versions are affected.
💻 Affected Systems
- Jenkins Embeddable Build Status Plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could read sensitive configuration files, credentials, or other critical system files stored on the Jenkins controller, potentially leading to full system compromise.
Likely Case
Unauthenticated or low-privileged users reading sensitive Jenkins configuration files, build logs, or credentials stored in accessible locations.
If Mitigated
Limited file access restricted to SVG files in specific directories with proper file permissions.
🎯 Exploit Status
Exploitation requires only HTTP requests with manipulated query parameters. No authentication needed for internet-facing instances.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.0.4
Vendor Advisory: https://www.jenkins.io/security/advisory/2022-06-22/#SECURITY-2792
Restart Required: Yes
Instructions:
1. Access Jenkins web interface as administrator. 2. Navigate to Manage Jenkins > Manage Plugins. 3. Go to Available tab. 4. Search for 'Embeddable Build Status Plugin'. 5. Check the update box and install version 2.0.4 or later. 6. Restart Jenkins after installation.
🔧 Temporary Workarounds
Disable vulnerable endpoint
allBlock access to the vulnerable SVG endpoint using web server configuration or firewall rules.
# For Apache: RewriteRule ^/plugin/embeddable-build-status/.*\.svg$ - [F]
# For Nginx: location ~ ^/plugin/embeddable-build-status/.*\.svg$ { return 403; }
Restrict network access
linuxLimit Jenkins controller access to trusted networks only.
# Firewall rule example: iptables -A INPUT -p tcp --dport 8080 -s trusted_network -j ACCEPT
# iptables -A INPUT -p tcp --dport 8080 -j DROP
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Jenkins from untrusted networks
- Apply strict file system permissions to limit readable files on Jenkins controller
🔍 How to Verify
Check if Vulnerable:
Check plugin version in Jenkins web interface: Manage Jenkins > Manage Plugins > Installed tab, search for 'Embeddable Build Status Plugin'.Check Version:
curl -s http://jenkins-host/pluginManager/api/json?depth=1 | grep -o '"embeddable-build-status":{[^}]*' | grep -o '"version":"[^"]*'Verify Fix Applied:
Verify plugin version is 2.0.4 or later in the Installed plugins list. Test by attempting to access SVG files with path traversal payloads.📡 Detection & Monitoring
Log Indicators:
- HTTP requests with 'style' parameter containing '../' sequences
- Access to unexpected SVG files or error responses from the plugin
Network Indicators:
- HTTP GET requests to /plugin/embeddable-build-status/*.svg with unusual query parameters
- Multiple failed attempts to access restricted files
SIEM Query:
source="jenkins_access.log" AND uri_path="/plugin/embeddable-build-status/" AND (query="*../*" OR status=403 OR status=404)