Miggo Logo
Miggo Vulnerability Database
CVE-2022-38666

CVE-2022-38666:
SSL/TLS certificate validation unconditionally disabled by Jenkins NS-ND Integration Performance Publisher Plugin

5.9

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-38666
GHSA ID
GHSA-vj5r-mmp4-3hrx
EPSS Score
0.05704%
CWE
CWE-295
Published
11/16/2022
Updated
10/27/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.main:cavisson-ns-nd-integrationmaven<= 4.8.0.146

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability explicitly states SSL/TLS validation is unconditionally disabled. In Java applications, this typically involves:

  1. Overriding TrustManager to accept all certificates
  2. Disabling hostname verification
  3. Using SSLContext with insecure settings

While exact code isn't shown, the pattern matches common SSL bypass implementations. The functions listed are core components that would handle HTTP communication configuration in a Jenkins plugin. The 'perform' method is typically where build steps execute, and 'createHttpClient' would be responsible for client configuration - both logical places for SSL settings.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins NS-N* Int**r*tion P*r*orm*n** Pu*lis**r Plu*in *.*.*.*** *n* **rli*r un*on*ition*lly *is**l*s SSL/TLS **rti*i**t* *n* *ostn*m* v*li**tion *or s*v*r*l ***tur*s. *urr*ntly, t**r* *r* no known work*roun*s or p*t***s.

Reasoning

T** vuln*r**ility *xpli*itly st*t*s SSL/TLS v*li**tion is un*on*ition*lly *is**l**. In J*v* *ppli**tions, t*is typi**lly involv*s: *. Ov*rri*in* TrustM*n***r to ****pt *ll **rti*i**t*s *. *is**lin* *ostn*m* v*ri*i**tion *. Usin* SSL*ont*xt wit* ins*