4.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-34803

GHSA ID

GHSA-273c-fjw8-v2w8

EPSS Score

0.69036%

CWE

CWE-256

Published

7/1/2022

Updated

10/27/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-34803

CVE-2022-34803: Jenkins OpsGenie Plugin Plaintext Storage of a Password vulnerability

Jenkins OpsGenie Plugin 1.9 and earlier stores API keys unencrypted in its global configuration file com.opsgenie.integration.jenkins.OpsGenieNotifier.xml and in job config.xml files on the Jenkins controller as part of its configuration.

Additionally, they are transmitted in plain text as part of the respective configuration forms.

These API keys can be viewed by users with Item/Extended Read permission (job config.xml only) or access to the Jenkins controller file system (both).

As of publication of this advisory, there is no fix.

(GitHub Advisory)

4.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-34803

GHSA ID

GHSA-273c-fjw8-v2w8

EPSS Score

0.69036%

CWE

CWE-256

Published

7/1/2022

Updated

10/27/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.jenkins-ci.plugins:opsgenie	maven	<= 1.9

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from three key failures: 1) Plaintext storage in global/job configs 2) Plaintext transmission in forms 3) Lack of access controls. The OpsGenieNotifier class is central to configuration handling in Jenkins plugins. The configure() method typically handles XML serialization, and getApiKey() would expose the value to views. Job config.xml storage implies the serialization logic in the notifier class doesn't use Jenkins' Secret management. While exact method names can't be verified without source code, these patterns match Jenkins plugin vulnerability paradigms for credential handling (CWE-256/522).

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins Ops**ni* Plu*in *.* *n* **rli*r stor*s *PI k*ys un*n*rypt** in its *lo**l *on*i*ur*tion *il* `*om.ops**ni*.int**r*tion.j*nkins.Ops**ni*Noti*i*r.xml` *n* in jo* `*on*i*.xml` *il*s on t** J*nkins *ontroll*r *s p*rt o* its *on*i*ur*tion. ***iti

Reasoning

T** vuln*r**ility st*ms *rom t*r** k*y **ilur*s: *) Pl*int*xt stor*** in *lo**l/jo* *on*i*s *) Pl*int*xt tr*nsmission in *orms *) L**k o* ****ss *ontrols. T** Ops**ni*Noti*i*r *l*ss is **ntr*l to *on*i*ur*tion **n*lin* in J*nkins plu*ins. T** *on*i*u

4.3

Basic Information

Concerned about an active attack path?

CVE-2022-34803: Jenkins OpsGenie Plugin Plaintext Storage of a Password vulnerability

4.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI