SB2022092327 - Multiple vulnerabilities in Jenkins BigPanda Notifier plugin

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Insufficiently protected credentials (CVE-ID: CVE-2022-41247)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to the affected plugin stores the BigPanda API key unencrypted in its global configuration file BigpandaGlobalNotifier.xml on the Jenkins controller as part of its configuration. A remote user can gain unauthorized access to sensitive information on the system.

2) Missing Password Field Masking (CVE-ID: CVE-2022-41248)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to the affected plugin does not mask the BigPanda API key on the global configuration form. A remote attacker can observe and capture it.

Remediation

Cybersecurity Help is not aware of any official remediation provided by the vendor.

References

• https://www.jenkins.io/security/advisory/2022-09-21/#SECURITY-2243
• http://www.openwall.com/lists/oss-security/2022/09/21/5