Name of the Vulnerable Software and Affected Versions:

Jenkins BigPanda Notifier Plugin versions 1.4.0 and earlier

Description:

The issue concerns the storage of the BigPanda API key in an unencrypted form within the global configuration file on the Jenkins controller. This file can be accessed by users with permission to the Jenkins controller file system. The global configuration form also fails to mask the API key, potentially allowing attackers to observe and capture it. The key is stored in the `BigpandaGlobalNotifier.xml` file as part of the plugin's configuration.

Recommendations:

For Jenkins BigPanda Notifier Plugin versions 1.4.0 and earlier, consider restricting access to the Jenkins controller file system to minimize the risk of the API key being viewed by unauthorized users. As a temporary workaround, limit the access to the `BigpandaGlobalNotifier.xml` file until a patch is available. Additionally, avoid displaying the API key in the global configuration form to prevent potential observation and capture by attackers. At the moment, there is no information about a newer version that contains a fix for this vulnerability.