Description

Jenkins BigPanda Notifier Plugin 1.4.0 and earlier does not mask the BigPanda API key on the global configuration form, increasing the potential for attackers to observe and capture it.

Remediation

References

http://www.openwall.com/lists/oss-security/2022/09/21/5

https://www.jenkins.io/security/advisory/2022-09-21/#SECURITY-2243

Related Vulnerabilities

CVE-2019-10371 Vulnerability in maven package org.jenkins-ci.plugins:gitlab-oauth

CVE-2022-36897 Vulnerability in maven package com.compuware.jenkins:compuware-xpediter-code-coverage

CVE-2022-47551 Vulnerability in maven package io.apiman:apiman-manager-api-beans

CVE-2019-3773 Vulnerability in maven package org.springframework.ws:spring-ws-core

CVE-2019-10348 Vulnerability in maven package org.jenkins-ci.plugins:gogs-webhook

Severity

Medium

Classification

CWE-312 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Tags

Mailing List Third Party Advisory Vendor Advisory