Description

Jenkins BigPanda Notifier Plugin 1.4.0 and earlier does not mask the BigPanda API key on the global configuration form, increasing the potential for attackers to observe and capture it.

Remediation

References

http://www.openwall.com/lists/oss-security/2022/09/21/5

https://www.jenkins.io/security/advisory/2022-09-21/#SECURITY-2243

Related Vulnerabilities

CVE-2022-35980 Vulnerability in maven package org.opensearch.plugin:opensearch-security

CVE-2018-1000008 Vulnerability in maven package org.jvnet.hudson.plugins:pmd

CVE-2021-4329 Vulnerability in npm package json-logic-js

CVE-2023-46656 Vulnerability in maven package igalg.jenkins.plugins:multibranch-scan-webhook-trigger

CVE-2020-7760 Vulnerability in maven package org.webjars.bower:codemirror

Severity

Medium

Classification

CWE-312 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Tags

Mailing List Third Party Advisory Vendor Advisory