Description

Jenkins BigPanda Notifier Plugin 1.4.0 and earlier does not mask the BigPanda API key on the global configuration form, increasing the potential for attackers to observe and capture it.

Remediation

References

http://www.openwall.com/lists/oss-security/2022/09/21/5

https://www.jenkins.io/security/advisory/2022-09-21/#SECURITY-2243

Related Vulnerabilities

CVE-2021-21165 Vulnerability in npm package electron

CVE-2019-1353 Vulnerability in maven package org.webjars.npm:nodegit

CVE-2020-11973 Vulnerability in maven package org.apache.camel:camel-netty

CVE-2020-20739 Vulnerability in npm package libvips

CVE-2022-41678 Vulnerability in maven package org.apache.activemq:apache-activemq

Severity

Medium

Classification

CWE-312 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Tags

Mailing List Third Party Advisory Vendor Advisory