CVE-2022-41230
Description
Jenkins Build-Publisher Plugin 1.22 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to obtain names and URLs of Jenkins servers that the plugin is configured to publish builds to, as well as builds pending for publication to those Jenkins servers.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins Build-Publisher Plugin 1.22 and earlier lacks permission check, allowing attackers with Overall/Read to leak server names, URLs, and pending builds.
Vulnerability
Details
Jenkins Build-Publisher Plugin versions 1.22 and earlier contain a missing permission check in an HTTP endpoint. This flaw allows any Jenkins user with the Overall/Read permission to access the endpoint without further authorization [1][2]. The endpoint exposes the names and URLs of Jenkins servers that the plugin is configured to publish builds to, as well as the list of builds pending publication to those servers.
Exploitation
An attacker needs only the Overall/Read permission, which is typically granted to most authenticated users. No additional privileges or authentication bypass is required. The vulnerable endpoint is accessible directly, leaking sensitive configuration data.
Impact
By exploiting this vulnerability, an attacker can discover internal Jenkins server URLs and names, potentially mapping the network topology. Additionally, knowledge of pending builds may reveal project activity or timing. This information could be used to target other systems or plan further attacks.
Mitigation
The Build-Publisher Plugin has been suspended from distribution and is no longer maintained [3]. Users are advised to remove or disable the plugin. No patched version is available; the plugin is incompatible with modern Jenkins versions (JEP-200, CSRF protection) [3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:build-publisherMaven | <= 1.22 | — |
Affected products
3- Range: <=1.22
- Range: unspecified
Patches
1bb038cab1facSuspend distribution of build-publisher, cons3rt, walti (#644)
1 file changed · +5 −0
resources/artifact-ignores.properties+5 −0 modified@@ -761,3 +761,8 @@ DotCi-DockerPublish = https://www.jenkins.io/security/plugins/#suspensions DotCi-Fig-template = https://www.jenkins.io/security/plugins/#suspensions DotCi-InstallPackages = https://www.jenkins.io/security/plugins/#suspensions DotCiInstallPackages = https://www.jenkins.io/security/plugins/#suspensions + +# Various plugins with severe issues appearing in https://jenkins.io/security/advisory/2022-09-21/ +build-publisher = https://github.com/jenkins-infra/update-center2/pull/644 +cons3rt = https://github.com/jenkins-infra/update-center2/pull/644 +walti = https://github.com/jenkins-infra/update-center2/pull/644
Vulnerability mechanics
Root cause
"Missing permission check in an HTTP endpoint allows unauthorized access to Jenkins server names, URLs, and pending build data."
Attack vector
An attacker with only Overall/Read permission (the lowest Jenkins access level) can send a crafted HTTP request to the affected endpoint. The endpoint does not verify that the user has the required permission (e.g., Administer) to view the plugin's configured Jenkins servers or pending build publications. The advisory does not specify the exact URL path or HTTP method, but the endpoint exposes names and URLs of remote Jenkins servers that the plugin is configured to publish builds to, along with builds queued for publication to those servers.
Affected code
The advisory does not specify the exact file or function path within the build-publisher plugin. The vulnerability exists in an HTTP endpoint that lacks a permission check. The plugin is identified as Build-Publisher Plugin version 1.22 and earlier. The patch [patch_id=1641265] only suspends distribution of the plugin from the update center and does not modify any plugin source code.
What the fix does
The patch [patch_id=1641265] suspends distribution of the build-publisher plugin from the Jenkins update center entirely, rather than fixing the missing permission check in the plugin code itself. This is a remediation action taken by the Jenkins project to prevent new installations of the vulnerable plugin (version 1.22 and earlier) while the underlying permission-check flaw remains unpatched in the plugin. The commit message references the security advisory date 2022-09-21, indicating this suspension is part of the coordinated disclosure response.
Preconditions
- authAttacker must have Overall/Read permission on the Jenkins instance
- networkAttacker must be able to send HTTP requests to the Jenkins controller
Generated on May 23, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-3jp6-q9cg-rvgjghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-41230ghsaADVISORY
- github.com/jenkins-infra/update-center2/pull/644ghsaWEB
- plugins.jenkins.io/build-publisherghsaWEB
- www.jenkins.io/security/advisory/2022-09-21/ghsax_refsource_CONFIRMWEB
News mentions
1- Jenkins Security Advisory 2022-09-21Jenkins Security Advisories · Sep 21, 2022