CVE-2022-45391 in NS-ND Integration Performance Publisher Plugin
Summary
by MITRE • 11/15/2022
Jenkins NS-ND Integration Performance Publisher Plugin 4.8.0.143 and earlier globally and unconditionally disables SSL/TLS certificate and hostname validation for the entire Jenkins controller JVM.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 12/19/2022
The vulnerability identified as CVE-2022-45391 affects the Jenkins NS-ND Integration Performance Publisher Plugin version 4.8.0.143 and earlier, representing a critical security flaw that undermines the fundamental trust mechanisms of secure communications within the Jenkins ecosystem. This issue manifests as a global and unconditional disabling of SSL/TLS certificate and hostname validation across the entire Jenkins controller JVM, effectively eliminating cryptographic security measures that protect against man-in-the-middle attacks and unauthorized access to sensitive build environments and data.
The technical flaw stems from the plugin's implementation where it indiscriminately disables SSL/TLS validation mechanisms throughout the Jenkins controller's Java Virtual Machine, rather than applying these security measures selectively to specific network connections. This behavior creates an environment where any network communication between Jenkins and external systems can be intercepted, modified, or impersonated without detection. The vulnerability operates at the JVM level, meaning that all plugins, integrations, and communication channels within the Jenkins environment become susceptible to cryptographic attacks, including certificate forgery, session hijacking, and data exfiltration.
The operational impact of this vulnerability is severe and far-reaching, as it fundamentally compromises the security posture of Jenkins controllers that utilize the affected plugin. Attackers can exploit this weakness to perform credential theft, manipulate build processes, access sensitive configuration data, and potentially gain unauthorized access to downstream systems that Jenkins communicates with during automated workflows. The global nature of the vulnerability means that organizations cannot rely on any SSL/TLS protections provided by Jenkins or its plugins, rendering the entire infrastructure vulnerable to cryptographic attacks that would normally be prevented by proper certificate validation.
Security professionals should recognize this issue as a direct violation of security best practices and industry standards such as those outlined in CWE-295, which addresses improper certificate validation, and aligns with ATT&CK technique T1566.001 for credential access through phishing attacks that could be facilitated by the compromised network security. Organizations should immediately update to a patched version of the NS-ND Integration Performance Publisher Plugin, implement network monitoring to detect anomalous communications, and conduct comprehensive security audits of their Jenkins environments to identify any other instances where similar security misconfigurations may exist. Additionally, the vulnerability highlights the critical importance of secure coding practices and the need for plugins to implement security controls at the appropriate scope rather than globally disabling security mechanisms that protect the broader system infrastructure.