Description

Jenkins BigPanda Notifier Plugin 1.4.0 and earlier does not mask the BigPanda API key on the global configuration form, increasing the potential for attackers to observe and capture it.

Remediation

References

http://www.openwall.com/lists/oss-security/2022/09/21/5

https://www.jenkins.io/security/advisory/2022-09-21/#SECURITY-2243

Related Vulnerabilities

CVE-2020-7746 Vulnerability in maven package org.webjars.bowergithub.chartjs:chart.js

CVE-2019-17570 Vulnerability in maven package org.apache.xmlrpc:xmlrpc

CVE-2022-23974 Vulnerability in maven package org.apache.pinot:pinot

CVE-2022-45143 Vulnerability in maven package org.apache.tomcat:tomcat-catalina

CVE-2021-21619 Vulnerability in maven package org.jenkins-ci.plugins:claim

Severity

Medium

Classification

CWE-312 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Tags

Mailing List Third Party Advisory Vendor Advisory