Description

Jenkins BigPanda Notifier Plugin 1.4.0 and earlier does not mask the BigPanda API key on the global configuration form, increasing the potential for attackers to observe and capture it.

Remediation

References

https://www.jenkins.io/security/advisory/2022-09-21/#SECURITY-2243

http://www.openwall.com/lists/oss-security/2022/09/21/5

Related Vulnerabilities

CVE-2021-33900 Vulnerability in maven package org.apache.directory.studio:org.apache.directory.studio.parent

CVE-2023-36478 Vulnerability in maven package org.eclipse.jetty.http3:http3-qpack

CVE-2019-10403 Vulnerability in maven package org.jenkins-ci.main:jenkins-core

CVE-2022-24794 Vulnerability in npm package express-openid-connect

CVE-2023-30843 Vulnerability in npm package payload

Severity

Medium

Classification

CWE-312 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Tags

Vendor Advisory Mailing List Third Party Advisory