{"id":"CVE-2022-41232","details":"A cross-site request forgery (CSRF) vulnerability in Jenkins Build-Publisher Plugin 1.22 and earlier allows attackers to replace any config.xml file on the Jenkins controller file system with an empty file by providing a crafted file name to an API endpoint.","aliases":["GHSA-phr4-94xx-259m"],"modified":"2026-03-13T05:59:00.486182Z","published":"2022-09-21T16:15:10.330Z","references":[{"type":"ADVISORY","url":"https://www.jenkins.io/security/advisory/2022-09-21/#SECURITY-2139"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/jenkinsci/build-publisher-plugin","events":[{"introduced":"0"},{"last_affected":"a4b7eabb74301b5f0ccc414bdc9d51486288bec0"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"1.22"}]}}],"versions":["build-publisher-1.11","build-publisher-1.12","build-publisher-1.13","build-publisher-1.14","build-publisher-1.15","build-publisher-1.16","build-publisher-1.17","build-publisher-1.18","build-publisher-1.19","build-publisher-1.20","build-publisher-1.21","build-publisher-1.22"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-41232.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"}]}