CVE-2022-38666
Description
Jenkins NS-ND Integration Performance Publisher Plugin <= 4.8.0.146 unconditionally disables SSL/TLS certificate and hostname validation for several features, enabling man-in-the-middle attacks.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins NS-ND Integration Performance Publisher Plugin <= 4.8.0.146 unconditionally disables SSL/TLS certificate and hostname validation for several features, enabling man-in-the-middle attacks.
The NS-ND Integration Performance Publisher Plugin for Jenkins, versions 4.8.0.146 and earlier, unconditionally disables SSL/TLS certificate and hostname validation for several of its features [1][2]. This means the plugin does not verify the authenticity of SSL/TLS certificates presented by remote servers, nor does it check that the hostname in the certificate matches the expected server hostname.
An attacker with the ability to intercept network traffic between a Jenkins controller or agent and the plugin's target servers can perform a man-in-the-middle (MITM) attack [1][2]. Because certificate validation is completely disabled, the attacker can present a forged or self-signed certificate without detection. No special privileges on Jenkins are required beyond network positioning; the vulnerability exists in the plugin's default configuration.
Successful exploitation allows the attacker to eavesdrop on, modify, or inject data into the communication between Jenkins and the plugin's external services [1][2]. This could lead to disclosure of sensitive information, corruption of performance test results, or further compromise of the Jenkins environment.
The vulnerability is addressed in plugin version 4.8.0.147 [2]. Users should upgrade to this version or later to restore proper SSL/TLS verification. There is no workaround available in the affected versions; updating the plugin is the only mitigation [1].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.main:cavisson-ns-nd-integrationMaven | <= 4.8.0.146 | — |
Affected products
2- Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
6- github.com/advisories/GHSA-vj5r-mmp4-3hrxghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-38666ghsaADVISORY
- www.openwall.com/lists/oss-security/2022/11/15/4ghsamailing-listWEB
- github.com/jenkinsci/cavisson-ns-nd-integration-plugin/releasesghsaPACKAGE
- www.jenkins.io/security/advisory/2022-11-15/ghsaWEB
- www.jenkins.io/security/advisory/2022-11-15/mitre
News mentions
1- Jenkins Security Advisory 2022-11-15Jenkins Security Advisories · Nov 15, 2022