Skip to content

Jenkins OpsGenie Plugin vulnerable to Cleartext Transmission of Sensitive Information

Moderate severity GitHub Reviewed Published Jul 1, 2022 to the GitHub Advisory Database • Updated Oct 27, 2023

Package

maven org.jenkins-ci.plugins:opsgenie (Maven)

Affected versions

<= 1.9

Patched versions

None

Description

Jenkins OpsGenie Plugin 1.9 and earlier stores API keys unencrypted in its global configuration file com.opsgenie.integration.jenkins.OpsGenieNotifier.xml and in job config.xml files on the Jenkins controller as part of its configuration.

Additionally, they are transmitted in plain text as part of the respective configuration forms.

These API keys can be viewed by users with Item/Extended Read permission (job config.xml only) or access to the Jenkins controller file system (both).

As of publication of this advisory, there is no fix.

References

Published by the National Vulnerability Database Jun 30, 2022
Published to the GitHub Advisory Database Jul 1, 2022
Reviewed Jul 13, 2022
Last updated Oct 27, 2023

Severity

Moderate
4.3
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Weaknesses

CVE ID

CVE-2022-34804

GHSA ID

GHSA-7r65-pjgv-h2h9

Source code

Checking history
See something to contribute? Suggest improvements for this vulnerability.