Description

Jenkins BigPanda Notifier Plugin 1.4.0 and earlier stores the BigPanda API key unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

Remediation

References

https://www.jenkins.io/security/advisory/2022-09-21/#SECURITY-2243

Related Vulnerabilities

CVE-2015-0254 Vulnerability in maven package taglibs:standard

CVE-2018-6341 Vulnerability in npm package vue

CVE-2023-33201 Vulnerability in maven package org.bouncycastle:bcprov-debug-jdk18on

CVE-2021-46877 Vulnerability in maven package com.fasterxml.jackson.core:jackson-databind

CVE-2023-25753 Vulnerability in maven package org.apache.shenyu:shenyu-common

Severity

Medium

Classification

CWE-522 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Tags

Vendor Advisory