CVE-2022-41231
Description
Jenkins Build-Publisher Plugin 1.22 and earlier allows attackers with Item/Configure permission to create or replace any config.xml file on the Jenkins controller file system by providing a crafted file name to an API endpoint.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins Build-Publisher Plugin 1.22 and earlier allows attackers with Item/Configure permission to write arbitrary config.xml files via a crafted API endpoint name.
Vulnerability
Overview
CVE-2022-41231 affects the Jenkins Build-Publisher Plugin versions 1.22 and earlier. The plugin fails to properly validate or sanitize file names provided to an API endpoint. This allows an attacker with Item/Configure permission to create or overwrite any config.xml file on the Jenkins controller file system by supplying a crafted file name.
Exploitation
Requirements
To exploit this vulnerability, an attacker must have the Item/Configure permission for a Jenkins project. They then send a crafted request to the plugin's API endpoint, specifying a file name that traverses directory paths (e.g., using ../) to target arbitrary config.xml files. No additional authentication or network access is required beyond that needed to reach the Jenkins controller.
Impact of
Successful Exploitation
Successful exploitation enables the attacker to replace any config.xml file on the controller, including those that govern global security settings, credentials, or job configurations. This can lead to a full compromise of the Jenkins controller, including persistent backdoors, privilege escalation, and data exfiltration [1][2].
Mitigation and
Status
The Jenkins project has suspended distribution of the Build-Publisher Plugin due to incompatibility with modern Jenkins releases (JEP-200, CSRF protection) and lack of maintainer support. Users are advised to remove or disable the plugin if installed. No patch is available; the recommended mitigation is to stop using the plugin entirely [1][3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:build-publisherMaven | <= 1.22 | — |
Affected products
3- Range: <=1.22
- Range: unspecified
Patches
1bb038cab1facSuspend distribution of build-publisher, cons3rt, walti (#644)
1 file changed · +5 −0
resources/artifact-ignores.properties+5 −0 modified@@ -761,3 +761,8 @@ DotCi-DockerPublish = https://www.jenkins.io/security/plugins/#suspensions DotCi-Fig-template = https://www.jenkins.io/security/plugins/#suspensions DotCi-InstallPackages = https://www.jenkins.io/security/plugins/#suspensions DotCiInstallPackages = https://www.jenkins.io/security/plugins/#suspensions + +# Various plugins with severe issues appearing in https://jenkins.io/security/advisory/2022-09-21/ +build-publisher = https://github.com/jenkins-infra/update-center2/pull/644 +cons3rt = https://github.com/jenkins-infra/update-center2/pull/644 +walti = https://github.com/jenkins-infra/update-center2/pull/644
Vulnerability mechanics
Root cause
"Missing input validation on a file name parameter allows path traversal, enabling an attacker to write arbitrary config.xml files to the Jenkins controller file system."
Attack vector
An attacker with Item/Configure permission sends a crafted request to an API endpoint, supplying a file name that includes path traversal sequences (e.g., ../). Because the plugin does not validate or sanitize the file name, the attacker can write a config.xml file to an arbitrary location on the Jenkins controller file system. This allows overwriting existing configuration files or planting new ones, which can lead to further compromise such as arbitrary code execution. The attack is performed over the network and requires only the Item/Configure permission, which is a relatively low-privilege role in Jenkins.
Affected code
The vulnerability exists in the Jenkins Build-Publisher Plugin version 1.22 and earlier. The patch does not show the specific vulnerable source files, but the advisory indicates that an API endpoint accepts a file name parameter without validation, allowing path traversal to write arbitrary config.xml files on the Jenkins controller file system.
What the fix does
The patch does not modify the vulnerable plugin's source code; instead, it suspends distribution of the build-publisher plugin (along with cons3rt and walti) in the Jenkins update center by adding entries to `artifact-ignores.properties` [patch_id=1641262]. This prevents new installations and updates from being served to users, effectively halting the spread of the vulnerability. The advisory notes that the plugin has severe issues, and the suspension is a stopgap measure until a proper fix can be released or the plugin is retired.
Preconditions
- authAttacker must have Item/Configure permission on a Jenkins project.
- networkAttacker must be able to send HTTP requests to the Jenkins controller's API endpoint.
Generated on May 23, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-jrqh-c9v8-ccx9ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-41231ghsaADVISORY
- github.com/jenkins-infra/update-center2/pull/644ghsaWEB
- www.jenkins.io/security/advisory/2022-09-21/ghsax_refsource_CONFIRMWEB
News mentions
1- Jenkins Security Advisory 2022-09-21Jenkins Security Advisories · Sep 21, 2022