A cross-site request forgery (CSRF) vulnerability in Jenkins Build-Publisher Plugin 1.22 and earlier allows attackers to replace any `config.xml` file on the Jenkins controller file system with an empty file by providing a crafted file name to an API endpoint. There is currently no workaround or patch as this plugin has been suspended.

Affected Packages

Maven org.jenkins-ci.plugins:build-publisher

Affected versions: 0 (last affected: 1.22)

Related CVEs

CVE-2022-41232

Key Information

GHSA ID

GHSA-phr4-94xx-259m

Published

September 22, 2022 12:00 AM

Last Modified

December 6, 2022 3:43 PM

CVSS Score

7.5 /10

Primary Ecosystem

Maven

Primary Package

org.jenkins-ci.plugins:build-publisher

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 5, 2025 6:26 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.