VYPR
← All advisories
Moderate severityNVD Advisory· Published Sep 21, 2022· Updated May 28, 2025

CVE-2022-41228

CVE-2022-41228

Description

Jenkins NS-ND Integration Performance Publisher Plugin lacks permission checks, allowing attackers with Overall/Read to connect to arbitrary webservers with attacker-supplied credentials.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Jenkins NS-ND Integration Performance Publisher Plugin lacks permission checks, allowing attackers with Overall/Read to connect to arbitrary webservers with attacker-supplied credentials.

A missing permission check in Jenkins NS-ND Integration Performance Publisher Plugin 4.8.0.129 and earlier allows attackers with Overall/Read permissions to connect to an attacker-specified webserver using attacker-specified credentials [1][2].

Attackers need only Overall/Read permission, a low-level Jenkins permission, to exploit this. They can configure the plugin to connect to an external webserver with arbitrary credentials, potentially enabling server-side request forgery (SSRF) or credential leakage [1][2].

This could allow attackers to exfiltrate data or probe internal networks, as the plugin executes connections with attacker-controlled parameters [2].

As of the advisory publication date, no fix was available; users should restrict Overall/Read permissions or avoid using the plugin until a patch is released [1].

References
  1. Jenkins Security Advisory 2022-09-21
  2. NVD - CVE-2022-41228

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
io.jenkins.plugins:cavisson-ns-nd-integrationMaven
< 4.8.0.1304.8.0.130

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

1