Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-24287

EnvInject exposes password hashes

    Details

    • Similar Issues:

      Description

      Currently, if a user without configuration access to a job can read the job they have access to the link "Environment variables". This allows the non-privileged user to see the password hashes.

      If they have Config access to a different folder on the same master, they can use this password hash to expose the password and take control of the account by using the CLI to directly change the job config.xml

      I propose that this link or at least the password hashes be restricted to only users with job config access.

        Attachments

          Issue Links

            Activity

            walterk82 Walter Kacynski created issue -
            Hide
            danielbeck Daniel Beck added a comment -

            they can use this password hash to expose the password and take control of the account

            Could you provide steps to reproduce this?

            Show
            danielbeck Daniel Beck added a comment - they can use this password hash to expose the password and take control of the account Could you provide steps to reproduce this?
            danielbeck Daniel Beck made changes -
            Field Original Value New Value
            Labels security
            Hide
            walterk82 Walter Kacynski added a comment -

            I think that I forgot to mention that you need to configure a global password or use job level passwords from this plugin. Doing these options will show the environment variable as injected which cause this security problem.

            Show
            walterk82 Walter Kacynski added a comment - I think that I forgot to mention that you need to configure a global password or use job level passwords from this plugin. Doing these options will show the environment variable as injected which cause this security problem.
            walterk82 Walter Kacynski made changes -
            Attachment EnvInject.png [ 26605 ]
            Attachment config.xml [ 26606 ]
            Hide
            danielbeck Daniel Beck added a comment -

            This still doesn't explain how other users that

            have Config access to a difference folder on the same master, ... can use this password hash to expose the password and take control of the account

            Show
            danielbeck Daniel Beck added a comment - This still doesn't explain how other users that have Config access to a difference folder on the same master, ... can use this password hash to expose the password and take control of the account
            Hide
            walterk82 Walter Kacynski added a comment -

            They can use the CLI to retrieve the config.xml and then paste this hash into the document and then update the job back to jenkins.

            Show
            walterk82 Walter Kacynski added a comment - They can use the CLI to retrieve the config.xml and then paste this hash into the document and then update the job back to jenkins.
            Hide
            danielbeck Daniel Beck added a comment -

            Thanks for the explanation, makes sense. passwords should probably be hidden from this output completely, or just have the value (password hidden) or similar.

            Show
            danielbeck Daniel Beck added a comment - Thanks for the explanation, makes sense. passwords should probably be hidden from this output completely, or just have the value (password hidden) or similar.
            walterk82 Walter Kacynski made changes -
            Description Currently, if a user without configuration access to a job can read the job they have access to the link "Environment variables". This allows the non-privileged user to see the password hashes.

            If they have Config access to a difference folder on the same master, they can use this password hash to expose the password and take control of the account.

            I propose that this link or at least the password hashes be restricted to only users with job config access.
            Currently, if a user without configuration access to a job can read the job they have access to the link "Environment variables". This allows the non-privileged user to see the password hashes.

            If they have Config access to a different folder on the same master, they can use this password hash to expose the password and take control of the account by using the CLI to directly change the job config.xml

            I propose that this link or at least the password hashes be restricted to only users with job config access.
            jglick Jesse Glick made changes -
            Link This issue is related to JENKINS-23447 [ JENKINS-23447 ]
            Hide
            jglick Jesse Glick added a comment -

            Not sure what “password hash” means in this context but is this just a duplicate of JENKINS-23447?

            Show
            jglick Jesse Glick added a comment - Not sure what “password hash” means in this context but is this just a duplicate of JENKINS-23447 ?
            Hide
            danielbeck Daniel Beck added a comment -

            Jesse Glick: No, this is about variables recognized by Env-Inject as passwords. They're only shown in encrypted form on the Injected Env Vars page, but that can be reused in another job in the same instance the malicious user has config access to: Just run env there and you "decrypted" the password.

            Show
            danielbeck Daniel Beck added a comment - Jesse Glick : No, this is about variables recognized by Env-Inject as passwords. They're only shown in encrypted form on the Injected Env Vars page, but that can be reused in another job in the same instance the malicious user has config access to: Just run env there and you "decrypted" the password.
            jglick Jesse Glick made changes -
            Link This issue is duplicated by SECURITY-82 [ SECURITY-82 ]
            Hide
            elliottjones Elliott Jones added a comment -

            Any thoughts on this being fixed? We have to use passwords managed by a separate IT team for our CI process thus this issue is of concern to them.

            Show
            elliottjones Elliott Jones added a comment - Any thoughts on this being fixed? We have to use passwords managed by a separate IT team for our CI process thus this issue is of concern to them.
            Hide
            oleg_nenashev Oleg Nenashev added a comment -

            JENKINS-29867 (https://github.com/jenkinsci/envinject-plugin/pull/57) should partially address this use-case in 1.92+

            Show
            oleg_nenashev Oleg Nenashev added a comment - JENKINS-29867 ( https://github.com/jenkinsci/envinject-plugin/pull/57 ) should partially address this use-case in 1.92+
            oleg_nenashev Oleg Nenashev made changes -
            Link This issue is related to JENKINS-29867 [ JENKINS-29867 ]
            rtyler R. Tyler Croy made changes -
            Workflow JNJira [ 157168 ] JNJira + In-Review [ 179533 ]
            oleg_nenashev Oleg Nenashev made changes -
            Assignee Gregory Boissinot [ gbois ] Oleg Nenashev [ oleg_nenashev ]
            Hide
            oleg_nenashev Oleg Nenashev added a comment -

            I think the JENKINS-29867 fix is enough. Please reopen the issue if you expect something else to be delivered

            Show
            oleg_nenashev Oleg Nenashev added a comment - I think the JENKINS-29867 fix is enough. Please reopen the issue if you expect something else to be delivered
            oleg_nenashev Oleg Nenashev made changes -
            Link This issue duplicates JENKINS-29867 [ JENKINS-29867 ]
            oleg_nenashev Oleg Nenashev made changes -
            Status Open [ 1 ] Resolved [ 5 ]
            Resolution Fixed [ 1 ]

              People

              • Assignee:
                oleg_nenashev Oleg Nenashev
                Reporter:
                walterk82 Walter Kacynski
              • Votes:
                1 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: