CVE-2022-34804

Name of the Vulnerable Software and Affected Versions Jenkins OpsGenie Plugin versions 1.9 and earlier

Description The issue concerns the transmission and storage of API keys in plain text. Specifically, API keys are transmitted in plain text as part of the global Jenkins configuration form and job configuration forms, potentially resulting in their exposure. Additionally, these keys are stored unencrypted in the global configuration file com.opsgenie.integration.jenkins.OpsGenieNotifier.xml and in job config.xml files on the Jenkins controller. Users with Item/Extended Read permission or access to the Jenkins controller file system can view these API keys.

Recommendations For Jenkins OpsGenie Plugin versions 1.9 and earlier, as a temporary workaround, consider restricting access to the global configuration file and job configuration files to minimize the risk of API key exposure. Avoid using the com.opsgenie.integration.jenkins.OpsGenieNotifier.xml and job config.xml files until a fix is available. Restrict access to the Jenkins controller file system to prevent unauthorized viewing of API keys. At the moment, there is no information about a newer version that contains a fix for this vulnerability.