CVE-2022-41230 — Missing permission check in Jenkins build-publisher Plugin

Description

Jenkins Build-Publisher Plugin 1.22 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to obtain names and URLs of Jenkins servers that the plugin is configured to publish builds to, as well as builds pending for publication to those Jenkins servers. At this time there is no known workaround or fix. The Build-Publisher plugin distribution has been suspended.

How to fix CVE-2022-41230

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

—no fix listed

Is CVE-2022-41230 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, <= 1.22

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-41230
WEBgithub.com/jenkins-infra/update-center2/pull/644
WEBplugins.jenkins.io/build-publisher
WEBwww.jenkins.io/security/advisory/2022-09-21/#SECURITY-1994