CVE-2022-41248

Jenkins BigPanda Notifier Plugin 1.4.0 and earlier does not mask the BigPanda API key on the global configuration form, increasing the potential for attackers to observe and capture it.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
http://www.openwall.com/lists/oss-security/2022/09/21/5	Mailing List Third Party Advisory
https://www.jenkins.io/security/advisory/2022-09-21/#SECURITY-2243	Vendor Advisory
http://www.openwall.com/lists/oss-security/2022/09/21/5	Mailing List Third Party Advisory
https://www.jenkins.io/security/advisory/2022-09-21/#SECURITY-2243	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:jenkins:bigpanda_notifier:*:*:*:*:*:jenkins:*:*

History

No history.

Information

Published : 2022-09-21 16:15

Updated : 2025-05-27 19:15

NVD link : CVE-2022-41248

Mitre link : CVE-2022-41248

CVE.ORG link : CVE-2022-41248

JSON object : View

Products Affected

jenkins

bigpanda_notifier

CWE

CWE-312

Cleartext Storage of Sensitive Information

{"id": "CVE-2022-41248", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2022-09-21T16:15:11.277", "references": [{"url": "http://www.openwall.com/lists/oss-security/2022/09/21/5", "tags": ["Mailing List", "Third Party Advisory"], "source": "jenkinsci-cert@googlegroups.com"}, {"url": "https://www.jenkins.io/security/advisory/2022-09-21/#SECURITY-2243", "tags": ["Vendor Advisory"], "source": "jenkinsci-cert@googlegroups.com"}, {"url": "http://www.openwall.com/lists/oss-security/2022/09/21/5", "tags": ["Mailing List", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.jenkins.io/security/advisory/2022-09-21/#SECURITY-2243", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-312"}]}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-312"}]}], "descriptions": [{"lang": "en", "value": "Jenkins BigPanda Notifier Plugin 1.4.0 and earlier does not mask the BigPanda API key on the global configuration form, increasing the potential for attackers to observe and capture it."}, {"lang": "es", "value": "Jenkins BigPanda Notifier Plugin versiones 1.4.0 y anteriores, no enmascara la clave de la API de BigPanda en el formulario de configuraci\u00f3n global, aumentando la posibilidad a los atacantes de observarlas y capturarlas"}], "lastModified": "2025-05-27T19:15:24.107", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:jenkins:bigpanda_notifier:*:*:*:*:*:jenkins:*:*", "vulnerable": true, "matchCriteriaId": "1706FA52-D433-45EE-867C-551A09399AA7", "versionEndIncluding": "1.4.0"}], "operator": "OR"}]}], "sourceIdentifier": "jenkinsci-cert@googlegroups.com"}