CVE-2022-45391 is a high-severity vulnerability affecting the Jenkins NS-ND Integration Performance Publisher Plugin version 4.8.0.143 and earlier. This vulnerability arises because the plugin globally and unconditionally disables SSL/TLS certificate and hostname validation for the entire Jenkins controller JVM. In practical terms, this means that any SSL/TLS connection initiated by the Jenkins controller, regardless of the target, will not verify the authenticity of the server's certificate or confirm that the hostname matches the certificate. This behavior effectively nullifies the protections normally provided by SSL/TLS, exposing Jenkins environments to man-in-the-middle (MitM) attacks. An attacker positioned on the network path could intercept or manipulate data transmitted between Jenkins and external services, potentially injecting malicious payloads or stealing sensitive information. The vulnerability is classified under CWE-295 (Improper Certificate Validation), which highlights the failure to properly validate certificates in SSL/TLS communications. The CVSS v3.1 base score is 7.5 (High), reflecting the network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), no confidentiality impact (C:N), high integrity impact (I:H), and no availability impact (A:N). The high integrity impact indicates that an attacker could alter data or commands processed by Jenkins, potentially leading to unauthorized code execution or pipeline manipulation. Although no known exploits are currently reported in the wild, the ease of exploitation and the critical role Jenkins plays in CI/CD pipelines make this vulnerability a significant risk for organizations relying on this plugin. The lack of patch links suggests that a fix may not yet be publicly available or that users must upgrade to a newer plugin version once released. Until then, affected Jenkins instances remain vulnerable to MitM attacks that can compromise the integrity of build and deployment processes.

For European organizations, the impact of CVE-2022-45391 can be substantial due to the widespread use of Jenkins in software development and continuous integration/continuous deployment (CI/CD) pipelines. The vulnerability undermines the trustworthiness of SSL/TLS communications, potentially allowing attackers to intercept or modify build artifacts, credentials, or configuration data transmitted by Jenkins. This can lead to unauthorized code injection, pipeline sabotage, or leakage of sensitive information such as API keys and internal endpoints. Given the critical role of Jenkins in automating software delivery, exploitation could disrupt development workflows, delay releases, and introduce backdoors or vulnerabilities into production systems. Industries with stringent regulatory requirements, such as finance, healthcare, and critical infrastructure sectors in Europe, may face compliance violations if their CI/CD integrity is compromised. Additionally, the vulnerability could be leveraged by advanced persistent threat (APT) actors targeting European organizations to gain footholds or escalate privileges within development environments. The absence of required authentication and user interaction for exploitation increases the risk of automated or opportunistic attacks, especially in environments where Jenkins controllers are exposed to untrusted networks or integrate with external services over SSL/TLS.

To mitigate CVE-2022-45391, European organizations should take immediate and specific actions beyond generic security hygiene: 1) Audit Jenkins environments to identify installations of the NS-ND Integration Performance Publisher Plugin version 4.8.0.143 or earlier. 2) Temporarily disable or remove the vulnerable plugin until a patched version is available. 3) Restrict network access to Jenkins controllers, ensuring they are not exposed to untrusted networks and that communications occur over secure, internal channels. 4) Implement network-level protections such as TLS interception detection and strict firewall rules to prevent MitM attacks. 5) Monitor Jenkins logs and network traffic for unusual SSL/TLS connection patterns or anomalies indicative of interception or tampering. 6) Enforce strict certificate pinning or use of trusted internal certificate authorities for Jenkins integrations to reduce reliance on external certificate validation. 7) Engage with the Jenkins community or vendor to obtain updates or patches addressing this vulnerability and plan for prompt deployment once available. 8) Educate development and security teams about the risks of disabling SSL/TLS validation and the importance of secure plugin configurations. These measures collectively reduce the attack surface and help maintain the integrity of CI/CD pipelines despite the vulnerability.