Jenkins Embeddable Build Status Plugin 2.0.3 allows specifying a 'link' query parameter that build status badges will link to, without restricting possible values, resulting in a reflected cross-site scripting (XSS) vulnerability.

Embeddable Build Status Plugin 2.0.4 limits URLs to http and https protocols and correctly escapes the provided value.

References

• https://nvd.nist.gov/vuln/detail/CVE-2022-34178
• https://www.jenkins.io/security/advisory/2022-06-22/#SECURITY-2567
• jenkinsci/embeddable-build-status-plugin@0fc4a19