Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-23627

Overall.READ is sufficient to access /administrativeMonitor/hudsonHomeIsFull/

    Details

    • Similar Issues:

      Description

      This does not appear to really be an issue by itself, but it might be in the case of carelessly implemented Solution's to this problem that don't check permissions in message.jelly and expose private data on the overview page (even if checking permissions for any associated actions).

        Attachments

          Activity

          Hide
          danielbeck Daniel Beck added a comment -

          It also exposes the path to JENKINS_HOME which will reveal master OS and could reveal configuration details. I don't think this should be public.

          Show
          danielbeck Daniel Beck added a comment - It also exposes the path to JENKINS_HOME which will reveal master OS and could reveal configuration details. I don't think this should be public.
          Hide
          danielbeck Daniel Beck added a comment -

          Like SECURITY-133, this is fairly harmless and a fix can probably be released in a regular release. Again, let me know if I should not release the fix.

          $ git show e7f72e5
          commit e7f72e502377138a36e65d52d3c2b7311b07a5ec
          Author: Daniel Beck <daniel-beck@github.com>
          Date:   Sun May 11 00:19:45 2014 +0200
          
              [FIX SECURITY-134] Restrict access to admin monitor info page
              
              This could contain sensitive information in the list of solutions
              provided. It also shows the path to JENKINS_HOME, exposing OS and
              configuration information.
          
          diff --git a/core/src/main/resources/hudson/diagnosis/HudsonHomeDiskUsageMonitor/index.jelly b/core/src/main/resources/hudson/diagnosis/Hudso
          index fb29dd5..eb39bea 100644
          --- a/core/src/main/resources/hudson/diagnosis/HudsonHomeDiskUsageMonitor/index.jelly
          +++ b/core/src/main/resources/hudson/diagnosis/HudsonHomeDiskUsageMonitor/index.jelly
          @@ -24,7 +24,7 @@ THE SOFTWARE.
           
           <?jelly escape-by-default='true'?>
           <j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:d="jelly:define" xmlns:l="/lib/layout" xmlns:t="/lib/hudson" xmlns:f="/lib/form
          -       <l:layout title="${%JENKINS_HOME is almost full}">
          +       <l:layout title="${%JENKINS_HOME is almost full}" permission="${app.ADMINISTER}">
                          <l:main-panel>
                 <h1>
                   <img src="${imagesURL}/48x48/warning.png" height="48" width="48" />
          Show
          danielbeck Daniel Beck added a comment - Like SECURITY-133, this is fairly harmless and a fix can probably be released in a regular release. Again, let me know if I should not release the fix. $ git show e7f72e5 commit e7f72e502377138a36e65d52d3c2b7311b07a5ec Author: Daniel Beck <daniel-beck@github.com> Date: Sun May 11 00:19:45 2014 +0200 [FIX SECURITY-134] Restrict access to admin monitor info page This could contain sensitive information in the list of solutions provided. It also shows the path to JENKINS_HOME, exposing OS and configuration information. diff --git a/core/src/main/resources/hudson/diagnosis/HudsonHomeDiskUsageMonitor/index.jelly b/core/src/main/resources/hudson/diagnosis/Hudso index fb29dd5..eb39bea 100644 --- a/core/src/main/resources/hudson/diagnosis/HudsonHomeDiskUsageMonitor/index.jelly +++ b/core/src/main/resources/hudson/diagnosis/HudsonHomeDiskUsageMonitor/index.jelly @@ -24,7 +24,7 @@ THE SOFTWARE. <?jelly escape-by- default = ' true ' ?> <j:jelly xmlns:j= "jelly:core" xmlns:st= "jelly:stapler" xmlns:d= "jelly:define" xmlns:l= "/lib/layout" xmlns:t= "/lib/hudson" xmlns:f="/lib/form - <l:layout title= "${%JENKINS_HOME is almost full}" > + <l:layout title= "${%JENKINS_HOME is almost full}" permission= "${app.ADMINISTER}" > <l:main-panel> <h1> <img src= "${imagesURL}/48x48/warning.png" height= "48" width= "48" />
          Hide
          jglick Jesse Glick added a comment -

          Was merged for a regular release.

          Show
          jglick Jesse Glick added a comment - Was merged for a regular release.
          Hide
          scm_issue_link SCM/JIRA link daemon added a comment -

          Code changed in jenkins
          User: Daniel Beck
          Path:
          core/src/main/resources/hudson/diagnosis/HudsonHomeDiskUsageMonitor/index.jelly
          http://jenkins-ci.org/commit/jenkins/6f030c201539027bf0309cee1d58cbfb7434aacf
          Log:
          JENKINS-23627 Restrict access to admin monitor info page

          This could contain sensitive information in the list of solutions
          provided. It also shows the path to JENKINS_HOME, exposing OS and
          configuration information.

          (cherry picked from commit 97c90ace15964143aa266da23c9c18de704bb3ad)

          Show
          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Daniel Beck Path: core/src/main/resources/hudson/diagnosis/HudsonHomeDiskUsageMonitor/index.jelly http://jenkins-ci.org/commit/jenkins/6f030c201539027bf0309cee1d58cbfb7434aacf Log: JENKINS-23627 Restrict access to admin monitor info page This could contain sensitive information in the list of solutions provided. It also shows the path to JENKINS_HOME, exposing OS and configuration information. (cherry picked from commit 97c90ace15964143aa266da23c9c18de704bb3ad)

            People

            • Assignee:
              kohsuke Kohsuke Kawaguchi
              Reporter:
              danielbeck Daniel Beck
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: