Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-18884

Seperate Permission for People View to close Security Hole with AD Plugin

    Details

    • Similar Issues:

      Description

      Even when choosing the most restricted user rights (Role Plugin: Global Role only 1 Read), it is possible for every user to view the Jenkins User Id AND the name of the user (see screenshots).
      Working with an Active Directory for authentication, this means its possible for everybody to get the user names from AD AND the common names (Security Hole with AD Plugin?).

      Goal: create a Permission to allow specific People/Roles to see this User Account info and deny it to all others.

        Attachments

          Issue Links

            Activity

            Hide
            joker3d Konstantin Trunin added a comment -

            This is a serious security breach - so - not understand why this defect is fixing so long time.

            Show
            joker3d Konstantin Trunin added a comment - This is a serious security breach - so - not understand why this defect is fixing so long time.
            Hide
            vixen03 Maciej M added a comment -

            This issue is really blocking us from switching to Jenkins. Is there any forecast when this could be fixed?

            Show
            vixen03 Maciej M added a comment - This issue is really blocking us from switching to Jenkins. Is there any forecast when this could be fixed?
            Hide
            kothandaraman_sps Kothandaraman added a comment -

            Is out there any way to disable "people" link on the Jenkins Dashboard page ?

            Show
            kothandaraman_sps Kothandaraman added a comment - Is out there any way to disable "people" link on the Jenkins Dashboard page ?
            Hide
            vladimir81 Vladimír Čamaj added a comment -

            Created at 2013-07-23 10:03 Are you serious? What is the chance this security hole will be resolved this month? 

            Show
            vladimir81 Vladimír Čamaj added a comment - Created at 2013-07-23 10:03 Are you serious? What is the chance this security hole will be resolved this month? 
            Hide
            oleg_nenashev Oleg Nenashev added a comment -

            Vladimír Čamaj

            Please consider me as messenger here. First of all,  if this is a security issue from your point of view, please report it according to https://jenkins.io/security/#reporting-vulnerabilities .It is currently considered as a Security Hardening by the Jenkins security team (see the labels). Read as "request for enhancement". If you have additional data which may alter this decision, please report it to the security team. 

            Everybody is also welcome to take over https://github.com/jenkinsci/jenkins/pull/1102 from ikedam and to get it over the line.

            P.S: Personally I would love to see this fix integrated, and I consider it as important change to do. I am happy to help with reviews and with getting this change delivered, but I do not plan to work on this issue on my own.

             

            Show
            oleg_nenashev Oleg Nenashev added a comment - Vladimír Čamaj Please consider me as messenger here. First of all,  if this is a security issue from your point of view, please report it according to  https://jenkins.io/security/#reporting-vulnerabilities  .It is currently considered as a Security Hardening by the Jenkins security team (see the labels). Read as "request for enhancement". If you have additional data which may alter this decision, please report it to the security team.  Everybody is also welcome to take over  https://github.com/jenkinsci/jenkins/pull/1102  from ikedam and to get it over the line. P.S: Personally I would love to see this fix integrated, and I consider it as important change to do. I am happy to help with reviews and with getting this change delivered, but I do not plan to work on this issue on my own.  

              People

              • Assignee:
                mreinhardt Martin Reinhardt
                Reporter:
                night_shift Annabella Schmidt
              • Votes:
                18 Vote for this issue
                Watchers:
                22 Start watching this issue

                Dates

                • Created:
                  Updated: