BigPanda Notifier Plugin 1.4.0 and earlier stores the BigPanda API key unencrypted in its global configuration file `BigpandaGlobalNotifier.xml` on the Jenkins controller as part of its configuration.

This API key can be viewed by users with access to the Jenkins controller file system.

Additionally, the global configuration form does not mask the API key, increasing the potential for attackers to observe and capture it.

Affected Packages

Maven org.jenkins-ci.plugins:bigpanda-jenkins

Affected versions: 0 (last affected: 1.4.0)

Related CVEs

CVE-2022-41248

Key Information

GHSA ID

GHSA-cpm5-cqr9-7p79

Published

September 22, 2022 12:00 AM

Last Modified

December 9, 2022 8:01 PM

CVSS Score

2.5 /10

Primary Ecosystem

Maven

Primary Package

org.jenkins-ci.plugins:bigpanda-jenkins

GitHub Reviewed

✓ Yes

Dataset

Last updated: August 25, 2025 6:33 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.