-
Bug
-
Resolution: Fixed
-
Major
-
None
-
Since 2.22, including 2.24.1
The ability to run a script prior to sending email was introduced in email-ext, a plugin with 10k+ installations, version 2.22 for JENKINS-12421.
This allows users to exploit their job configure privilege for a single job to gain access to all of Jenkins, circumventing any security measures.
Steps to reproduce
1. In project based matrix security (most severe permissions issue), give "User" overall read permission. Create job "Job" and give read/configure/build permissions to "User"
2. Log out and back in as "User"
3. Configure "Job" to send email-ext (upon success).
4. Set the pre-build script to e.g. "Hudson.instance.doQuietDown()" or "Hudson.instance.projects.each
"
5. Start a build
Result
Jenkins is quieting down, or all projects have been disabled, depending on the script. Everything else is possible as well.
Notes
This feature cannot be deactivated, like Groovy Postbuild's "restrict access to internal objects", or used in a safe way by privileged users only, like Groovy's requiring administration permissions for adding or editing Groovy System build steps.
This issue is identical to SECURITY-35 of June 23rd. Maybe it will get a better response as a public issue.