-
Bug
-
Resolution: Not A Defect
-
Major
-
None
-
Found with Jenkins 1.466.1
SSH passwords are retrievable from the configure nodes page. Passwords are only masked when displayed and are retrievable from the page source. This means passwords are being leaked to all users with configure-node access which may be a security concern in some use cases. It is also a potential point of privilege escalation if an attacker is able to gain access through other means.
Steps to reproduce:
1.) Create hudson unix slave launched via SSH with password authentication.
2.) Navigate to configure node page for new job. [https://jenkins/computer/
/configure]
3.) Expand advanced section of launch method
result:
Passwords are masked when displayed but viewing page source shows plain text password.
expected:
It would be safer to mask passwords server side before serving up the page.