Description

Jenkins BigPanda Notifier Plugin 1.4.0 and earlier does not mask the BigPanda API key on the global configuration form, increasing the potential for attackers to observe and capture it.

Remediation

References

http://www.openwall.com/lists/oss-security/2022/09/21/5

https://www.jenkins.io/security/advisory/2022-09-21/#SECURITY-2243

Related Vulnerabilities

CVE-2022-41853 Vulnerability in maven package org.hsqldb:hsqldb

CVE-2022-39249 Vulnerability in npm package matrix-js-sdk

CVE-2021-21619 Vulnerability in maven package org.jenkins-ci.plugins:claim

CVE-2019-0222 Vulnerability in maven package org.fusesource.mqtt-client:mqtt-client

CVE-2020-2192 Vulnerability in maven package org.jenkins-ci.plugins:swarm-plugin

Severity

Medium

Classification

CWE-312 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Tags

Mailing List Third Party Advisory Vendor Advisory