CVE-2022-41232
Description
A cross-site request forgery (CSRF) vulnerability in Jenkins Build-Publisher Plugin 1.22 and earlier allows attackers to replace any config.xml file on the Jenkins controller file system with an empty file by providing a crafted file name to an API endpoint.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins Build-Publisher Plugin 1.22 and earlier has a CSRF vulnerability that lets attackers replace any config.xml file on the controller with an empty file.
Vulnerability
Overview
A cross-site request forgery (CSRF) vulnerability in Jenkins Build-Publisher Plugin 1.22 and earlier allows an attacker to replace any config.xml file on the Jenkins controller file system with an empty file. This is achieved by providing a crafted file name to an API endpoint [1][2]. The root cause is the lack of CSRF protection on the affected endpoint, which allows an unauthenticated attacker to trick a logged-in administrator into submitting a malicious request.
Exploitation and
Attack Surface
To exploit this vulnerability, an attacker must convince a Jenkins administrator with appropriate permissions to click a crafted link or visit a malicious page while the administrator is authenticated to the Jenkins instance. There is no authentication required for the attacker, but the victim must have access to the Jenkins interface. The attack can be performed remotely over the network, and no special privileges are needed for the attacker [1].
Impact
Successful exploitation enables the attacker to delete or corrupt XML configuration files (e.g., config.xml) for any Jenkins item, job, or the system itself, effectively destroying configuration data. This denial-of-service or data loss could disrupt Jenkins operations and require administrative recovery [1][2].
Mitigation and
Status
The Jenkins project has suspended distribution of the Build-Publisher Plugin due to its incompatibility with security features introduced in Jenkins 2.222+ (CSRF protection) and 2.266+ (JEP-200) [3]. Users are strongly advised to remove or disable the plugin and migrate to alternative solutions. No patched version is available, so the best mitigation is to stop using the plugin [1][3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:build-publisherMaven | <= 1.22 | — |
Affected products
3- Range: <=1.22
- Range: unspecified
Patches
1bb038cab1facSuspend distribution of build-publisher, cons3rt, walti (#644)
1 file changed · +5 −0
resources/artifact-ignores.properties+5 −0 modified@@ -761,3 +761,8 @@ DotCi-DockerPublish = https://www.jenkins.io/security/plugins/#suspensions DotCi-Fig-template = https://www.jenkins.io/security/plugins/#suspensions DotCi-InstallPackages = https://www.jenkins.io/security/plugins/#suspensions DotCiInstallPackages = https://www.jenkins.io/security/plugins/#suspensions + +# Various plugins with severe issues appearing in https://jenkins.io/security/advisory/2022-09-21/ +build-publisher = https://github.com/jenkins-infra/update-center2/pull/644 +cons3rt = https://github.com/jenkins-infra/update-center2/pull/644 +walti = https://github.com/jenkins-infra/update-center2/pull/644
Vulnerability mechanics
Root cause
"Missing CSRF protection in the Build-Publisher Plugin allows an attacker to replace any config.xml file on the Jenkins controller with an empty file via a crafted API request."
Attack vector
An unauthenticated or low-privilege attacker can craft a malicious web page or link that, when visited by a Jenkins administrator, triggers a cross-site request forgery (CSRF) attack. The attack exploits a missing CSRF token check in an API endpoint of the Build-Publisher Plugin. By providing a crafted file name parameter, the attacker forces the victim's browser to send a request that overwrites an arbitrary config.xml file on the Jenkins controller with an empty file. The attacker does not need direct network access to the Jenkins controller, only the ability to trick an authenticated administrator into making the forged request.
Affected code
The patch does not show the vulnerable plugin source code. The advisory indicates the vulnerability exists in Jenkins Build-Publisher Plugin version 1.22 and earlier. The affected functionality is an API endpoint that accepts a file name parameter and writes to the Jenkins controller file system without CSRF token validation.
What the fix does
The patch does not modify the plugin source code directly. Instead, it suspends distribution of the Build-Publisher Plugin (along with cons3rt and walti) by adding it to the artifact-ignores.properties file in the Jenkins update-center2 repository [patch_id=1641268]. This prevents the plugin from being offered for installation or update through the Jenkins update center, effectively removing the vulnerable plugin from new and existing Jenkins installations until a fixed version is published. The suspension was applied because the plugin had severe security issues, including this CSRF vulnerability.
Preconditions
- authA Jenkins administrator must be authenticated to the Jenkins instance.
- inputThe attacker must craft a file name parameter that targets a config.xml path on the Jenkins controller.
- networkThe attacker must trick the authenticated administrator into visiting a malicious web page or link.
Generated on May 23, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-phr4-94xx-259mghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-41232ghsaADVISORY
- github.com/jenkins-infra/update-center2/pull/644ghsaWEB
- www.jenkins.io/security/advisory/2022-09-21/ghsax_refsource_CONFIRMWEB
News mentions
1- Jenkins Security Advisory 2022-09-21Jenkins Security Advisories · Sep 21, 2022