CVE-2022-45391
Description
Jenkins NS-ND Integration Performance Publisher Plugin 4.8.0.143 and earlier disables SSL/TLS certificate and hostname validation globally in the Jenkins controller JVM.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins NS-ND Integration Performance Publisher Plugin 4.8.0.143 and earlier disables SSL/TLS certificate and hostname validation globally in the Jenkins controller JVM.
Vulnerability
Overview
The Jenkins NS-ND Integration Performance Publisher Plugin versions 4.8.0.143 and earlier unconditionally disables SSL/TLS certificate and hostname validation for the entire Jenkins controller JVM [1][2]. This means that any component running in the Jenkins controller, including other plugins, will trust TLS connections without verifying the identity of the remote server [3].
Exploitation
Details
An attacker can exploit this vulnerability by setting up a man-in-the-middle (MITM) position between the Jenkins controller and any external service it connects to over HTTPS [1]. The plugin's global alteration of JVM SSL settings eliminates all certificate validation, allowing intercepting and modifying of TLS communications [4]. No authentication is required on the network, as the attack targets the SSL/TLS trust configuration [3].
Impact
A successful MITM attack can lead to disclosure of sensitive data transmitted over HTTPS, such as credentials or build artifacts, and potentially injection of malicious content into communications [1][2]. The impact is severe because the insecure setting applies globally, affecting all plugins and features of Jenkins using HTTPS connections, not just the NS-ND plugin itself [3].
Mitigation
The vulnerability is fixed in NS-ND Integration Performance Publisher Plugin version 4.8.0.146 [3]. Users should upgrade immediately or remove the plugin if not needed [1][4].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
io.jenkins.plugins:cavisson-ns-nd-integrationMaven | < 4.8.0.146 | 4.8.0.146 |
Affected products
2- Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-3vwm-fc87-mq6hghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-45391ghsaADVISORY
- www.openwall.com/lists/oss-security/2022/11/15/4ghsamailing-listWEB
- www.jenkins.io/security/advisory/2022-11-15/ghsaWEB
- www.jenkins.io/security/advisory/2022-11-15/ghsaWEB
News mentions
1- Jenkins Security Advisory 2022-11-15Jenkins Security Advisories · Nov 15, 2022