CVE-2022-34804: 
Java vulnerability analysis and mitigation

The Jenkins OpsGenie Plugin version 1.9 and earlier contains a security vulnerability (CVE-2022-34804) related to the transmission of API keys in plain text. This vulnerability was discovered and reported by github.com/jetersen, and was publicly disclosed on June 30, 2022. The vulnerability affects the plugin's handling of API keys in both global Jenkins configuration and job configuration forms (Jenkins Advisory).

The vulnerability is classified with medium severity and involves the transmission of API keys in plain text format through configuration forms. Specifically, the API keys are exposed in two contexts: the global Jenkins configuration form and job configuration forms. This implementation flaw could potentially lead to the exposure of sensitive authentication credentials (NVD).

The exposure of API keys can be accessed by users with Item/Extended Read permission (for job config.xml files) or by users with access to the Jenkins controller file system. This vulnerability potentially allows unauthorized users to view and capture sensitive API credentials, which could be used to access and manipulate OpsGenie services (Jenkins Advisory).

As of the advisory's publication date, there was no fix available for this vulnerability in the OpsGenie Plugin. Users are advised to carefully manage access permissions to the Jenkins controller file system and restrict Item/Extended Read permissions to trusted users until a patch is released (Jenkins Advisory).