Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-15213

email-ext 2.22+ allows any user with configure permission for a single job to circumvent Jenkins security

    Details

    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Major
    • Resolution: Fixed
    • Component/s: email-ext-plugin
    • Labels:
      None
    • Environment:
      Since 2.22, including 2.24.1
    • Similar Issues:

      Description

      The ability to run a script prior to sending email was introduced in email-ext, a plugin with 10k+ installations, version 2.22 for JENKINS-12421.

      This allows users to exploit their job configure privilege for a single job to gain access to all of Jenkins, circumventing any security measures.

      Steps to reproduce

      1. In project based matrix security (most severe permissions issue), give "User" overall read permission. Create job "Job" and give read/configure/build permissions to "User"
      2. Log out and back in as "User"
      3. Configure "Job" to send email-ext (upon success).
      4. Set the pre-build script to e.g. "Hudson.instance.doQuietDown()" or "Hudson.instance.projects.each

      { it.disable() }

      "
      5. Start a build

      Result

      Jenkins is quieting down, or all projects have been disabled, depending on the script. Everything else is possible as well.

      Notes

      This feature cannot be deactivated, like Groovy Postbuild's "restrict access to internal objects", or used in a safe way by privileged users only, like Groovy's requiring administration permissions for adding or editing Groovy System build steps.

      This issue is identical to SECURITY-35 of June 23rd. Maybe it will get a better response as a public issue.

        Attachments

          Activity

          danielbeck Daniel Beck created issue -
          slide_o_mix Alex Earl made changes -
          Field Original Value New Value
          Status Open [ 1 ] In Progress [ 3 ]
          slide_o_mix Alex Earl made changes -
          Status In Progress [ 3 ] Resolved [ 5 ]
          Resolution Fixed [ 1 ]
          jglick Jesse Glick made changes -
          Link This issue is duplicated by SECURITY-35 [ SECURITY-35 ]
          rtyler R. Tyler Croy made changes -
          Workflow JNJira [ 145935 ] JNJira + In-Review [ 191704 ]

            People

            • Assignee:
              slide_o_mix Alex Earl
              Reporter:
              danielbeck Daniel Beck
            • Votes:
              2 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: