CVE-2022-41227
Description
Jenkins NS-ND Integration Performance Publisher Plugin 4.8.0.129 and earlier is vulnerable to CSRF, allowing attackers to connect to any webserver with attacker-controlled credentials.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins NS-ND Integration Performance Publisher Plugin 4.8.0.129 and earlier is vulnerable to CSRF, allowing attackers to connect to any webserver with attacker-controlled credentials.
Vulnerability
Overview
The Jenkins NS-ND Integration Performance Publisher Plugin (also known as cavisson-ns-nd-integration) is designed to trigger test suites on a remote NetStorm server and publish HTML reports. A cross-site request forgery (CSRF) vulnerability exists in version 4.8.0.129 and earlier of this plugin [1]. The root cause is that the plugin does not require a CSRF token or perform any origin validation when processing requests to configure connections to remote servers, allowing an attacker to trick an authenticated Jenkins user into making an unintended request [2].
Attack
Vector and Prerequisites
To exploit this vulnerability, an attacker must be able to convince a Jenkins user with the necessary permissions to click on a crafted link or visit a malicious webpage [1]. The user does not need to be an administrator; any user who can configure the plugin's build or post-build steps can be targeted. The attacker can specify both the target webserver URL and the credentials used to connect, meaning they can exfiltrate data to any server they control [2]. Authentication to Jenkins is required for the victim user, but the attacker themselves does not need any credentials on the Jenkins instance [1].
Impact
A successful CSRF attack allows the attacker to make the victim's browser connect to an arbitrary webserver using attacker-supplied credentials [1]. This could be used to exfiltrate Jenkins credentials, session tokens, or other sensitive data, or to establish a foothold for further exploitation. The plugin uses these connections to fetch test reports, so the attacker-controlled server could deliver malicious content back to Jenkins, potentially leading to stored XSS or other client-side attacks [3].
Mitigation
The Jenkins Security Advisory 2022-09-21 recommends upgrading to a fixed version of the plugin (not yet specified at the time of publication) or disabling the plugin if it is not needed [1]. Administrators should review Jenkins Security Advisory for the latest information. The vulnerability is also tracked in the NVD database [2]. No workaround is provided other than removing the plugin or preventing untrusted users from configuring Jenkins jobs.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
io.jenkins.plugins:cavisson-ns-nd-integrationMaven | < 4.8.0.130 | 4.8.0.130 |
Affected products
2- Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-jjch-7g85-4m72ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-41227ghsaADVISORY
- www.jenkins.io/security/advisory/2022-09-21/ghsax_refsource_CONFIRMWEB
News mentions
1- Jenkins Security Advisory 2022-09-21Jenkins Security Advisories · Sep 21, 2022