CVE-2022-41243

The Jenkins SmallTest Plugin, versions 1.0.4 and earlier, fails to perform hostname validation when connecting to the configured View26 server. This flaw allows an attacker positioned on the network to conduct man-in-the-middle attacks, intercepting traffic between Jenkins and the View26 server [1][2].

An attacker with network access can exploit this vulnerability by placing themselves between Jenkins and the View26 server. Without hostname verification, the plugin accepts any certificate presented by a rogue server, enabling the attacker to decrypt, read, and potentially modify data in transit [2].

The impact includes the potential exposure of sensitive information exchanged during test execution, such as credentials or test results. An attacker could also inject malicious data into the communication stream [1].

As of the publication date, users are advised to upgrade the SmallTest Plugin to a version that includes hostname validation, if available. The Jenkins security advisory (2022-09-21) provides further details and remediation steps [1].