Description

Jenkins BigPanda Notifier Plugin 1.4.0 and earlier does not mask the BigPanda API key on the global configuration form, increasing the potential for attackers to observe and capture it.

Remediation

References

http://www.openwall.com/lists/oss-security/2022/09/21/5

https://www.jenkins.io/security/advisory/2022-09-21/#SECURITY-2243

Related Vulnerabilities

CVE-2020-13941 Vulnerability in maven package org.apache.solr:solr-core

CVE-2023-24789 Vulnerability in maven package org.jeecgframework.boot:jeecg-boot-parent

CVE-2018-1304 Vulnerability in maven package org.apache.tomcat.embed:tomcat-embed-core

CVE-2020-10591 Vulnerability in maven package com.walmartlabs.concord.server:concord-server-impl

CVE-2020-7717 Vulnerability in npm package dot-notes

Severity

Medium

Classification

CWE-312 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Tags

Mailing List Third Party Advisory Vendor Advisory