CVE-2022-41230 is a medium-severity vulnerability affecting the Jenkins Build-Publisher Plugin version 1.22 and earlier. The vulnerability arises because the plugin fails to perform proper permission checks on a specific HTTP endpoint. This flaw allows attackers who already possess Overall/Read permission on the Jenkins instance to access sensitive information that should be restricted. Specifically, such attackers can retrieve the names and URLs of Jenkins servers configured as targets for build publication, as well as details about builds pending publication to those servers. The vulnerability is classified under CWE-862 (Missing Authorization) and does not require user interaction. Exploitation can be performed remotely over the network (AV:N), with low attack complexity (AC:L), and requires the attacker to have at least read-level privileges (PR:L). The impact is limited to confidentiality as no integrity or availability impact is reported. No known exploits are currently in the wild, and no patches are explicitly linked in the provided data, though it is expected that newer plugin versions address this issue. The vulnerability could facilitate reconnaissance activities by malicious insiders or attackers who have gained limited access, potentially aiding further attacks by revealing infrastructure details.

For European organizations using Jenkins with the Build-Publisher Plugin, this vulnerability could lead to unauthorized disclosure of internal CI/CD infrastructure details. While the attacker must already have read-level access, which is a moderate barrier, the exposure of Jenkins server URLs and pending build information could assist in planning more targeted attacks, such as lateral movement or supply chain compromises. Organizations handling sensitive or critical software development pipelines could face increased risk of intellectual property exposure or disruption if attackers leverage this information. The confidentiality breach might also contravene European data protection regulations if the disclosed information includes or leads to exposure of personal or sensitive data. However, since the vulnerability does not allow modification or disruption of builds, the immediate operational impact is limited. Still, the information leakage can be a stepping stone for more severe attacks, especially in environments with complex Jenkins deployments.

European organizations should immediately audit their Jenkins instances to identify usage of the Build-Publisher Plugin version 1.22 or earlier. Upgrading to the latest plugin version that includes proper permission checks is the primary mitigation step. If an upgrade is not immediately feasible, organizations should restrict Overall/Read permissions to trusted users only, minimizing the risk of unauthorized information disclosure. Additionally, network-level controls such as firewall rules or VPN requirements should be enforced to limit access to Jenkins servers. Implementing monitoring and alerting on unusual access patterns to the affected HTTP endpoint can help detect exploitation attempts. Organizations should also review their Jenkins security configurations to ensure the principle of least privilege is enforced across all users and plugins. Finally, documenting and regularly reviewing plugin permissions and access control policies will reduce the risk of similar vulnerabilities being exploited.