CVE-2022-41247 – org.jenkins-ci.plugins:bigpanda-jenkins

Package

Manager: maven
Name: org.jenkins-ci.plugins:bigpanda-jenkins
Vulnerable Version: >=0 <=1.4.0

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00456 pctl0.63022

Details

Jenkins BigPanda Notifier Plugin stores BigPanda API key unencrypted BigPanda Notifier Plugin 1.4.0 and earlier stores the BigPanda API key unencrypted in its global configuration file `BigpandaGlobalNotifier.xml` on the Jenkins controller as part of its configuration. This API key can be viewed by users with access to the Jenkins controller file system. Additionally, the global configuration form does not mask the API key, increasing the potential for attackers to observe and capture it.

Metadata

Created: 2022-09-22T00:00:29Z
Modified: 2022-12-09T16:15:18Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-j7xv-fc46-hgpg/GHSA-j7xv-fc46-hgpg.json
CWE IDs: ["CWE-256", "CWE-522"]
Alternative ID: GHSA-j7xv-fc46-hgpg
Finding: F020
Auto approve: 1