API Key Exposure in Jenkins OpsGenie Plugin by CloudBees
CVE-2022-34803

4.3MEDIUM

Key Information:

Vendor: Jenkins
Status: Jenkins Opsgenie Plugin
Vendor: CVE Published:; 30 June 2022

Summary

The Jenkins OpsGenie Plugin for Jenkins versions 1.9 and earlier insecurely stores API keys in an unencrypted format within its global configuration file and job config.xml files. This vulnerability allows users with Extended Read permissions or those with access to the Jenkins controller file system to view the sensitive API keys, potentially leading to unauthorized access and exploit of connected services.

Affected Version(s)

Jenkins OpsGenie Plugin <= 1.9

References

https://www.jenkins.io/security/advisory/2022-06-30/#SECU...

x_refsource_CONFIRM

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jun 30, 2022
Vulnerability Reserved
Jun 29, 2022