CVE-2022-34803

Name of the Vulnerable Software and Affected Versions Jenkins OpsGenie Plugin versions 1.9 and earlier

Description The issue concerns the storage of API keys in an unencrypted manner within the global configuration file and job config.xml files on the Jenkins controller. These keys can be accessed by users with Extended Read permission for job config.xml files or by those with access to the Jenkins controller file system. The API keys are also transmitted in plain text as part of configuration forms. This could potentially allow unauthorized access to sensitive information.

Recommendations For Jenkins OpsGenie Plugin versions 1.9 and earlier, as a temporary workaround, consider restricting access to the global configuration file com.opsgenie.integration.jenkins.OpsGenieNotifier.xml and job config.xml files to minimize the risk of exploitation. Additionally, limit the permissions of users with Item/Extended Read permission to reduce the attack surface. At the moment, there is no information about a newer version that contains a fix for this vulnerability.