Jenkins Build-Publisher Plugin 1.22 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to obtain names and URLs of Jenkins servers that the plugin is configured to publish builds to, as well as builds pending for publication to those Jenkins servers. At this time there is no known workaround or fix. The Build-Publisher plugin distribution has been suspended.

Affected Packages

Maven org.jenkins-ci.plugins:build-publisher

Affected versions: 0 (last affected: 1.22)

Related CVEs

CVE-2022-41230

Key Information

GHSA ID

GHSA-3jp6-q9cg-rvgj

Published

September 22, 2022 12:00 AM

Last Modified

December 6, 2022 2:26 PM

CVSS Score

5.0 /10

Primary Ecosystem

Maven

Primary Package

org.jenkins-ci.plugins:build-publisher

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 6, 2025 6:30 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.