CVE-2022-41248

Name of the Vulnerable Software and Affected Versions Jenkins BigPanda Notifier Plugin versions 1.4.0 and earlier

Description The issue concerns the storage and display of the BigPanda API key in the plugin's configuration. The BigPanda API key is stored unencrypted in the BigpandaGlobalNotifier.xml file on the Jenkins controller. This key can be accessed by users with file system access to the Jenkins controller. Furthermore, the global configuration form does not mask the API key, making it possible for attackers to observe and capture it.

Recommendations For Jenkins BigPanda Notifier Plugin versions 1.4.0 and earlier, consider restricting access to the Jenkins controller file system to minimize the risk of the API key being viewed. As a temporary workaround, manually encrypt and securely store the BigPanda API key until a patch is available. Avoid using the plugin's global configuration form to input the API key until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.