Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-24287

EnvInject exposes password hashes

    Details

    • Similar Issues:

      Description

      Currently, if a user without configuration access to a job can read the job they have access to the link "Environment variables". This allows the non-privileged user to see the password hashes.

      If they have Config access to a different folder on the same master, they can use this password hash to expose the password and take control of the account by using the CLI to directly change the job config.xml

      I propose that this link or at least the password hashes be restricted to only users with job config access.

        Attachments

          Issue Links

            Activity

            walterk82 Walter Kacynski created issue -
            danielbeck Daniel Beck made changes -
            Field Original Value New Value
            Labels security
            walterk82 Walter Kacynski made changes -
            Attachment EnvInject.png [ 26605 ]
            Attachment config.xml [ 26606 ]
            walterk82 Walter Kacynski made changes -
            Description Currently, if a user without configuration access to a job can read the job they have access to the link "Environment variables". This allows the non-privileged user to see the password hashes.

            If they have Config access to a difference folder on the same master, they can use this password hash to expose the password and take control of the account.

            I propose that this link or at least the password hashes be restricted to only users with job config access.
            Currently, if a user without configuration access to a job can read the job they have access to the link "Environment variables". This allows the non-privileged user to see the password hashes.

            If they have Config access to a different folder on the same master, they can use this password hash to expose the password and take control of the account by using the CLI to directly change the job config.xml

            I propose that this link or at least the password hashes be restricted to only users with job config access.
            jglick Jesse Glick made changes -
            Link This issue is related to JENKINS-23447 [ JENKINS-23447 ]
            jglick Jesse Glick made changes -
            Link This issue is duplicated by SECURITY-82 [ SECURITY-82 ]
            oleg_nenashev Oleg Nenashev made changes -
            Link This issue is related to JENKINS-29867 [ JENKINS-29867 ]
            rtyler R. Tyler Croy made changes -
            Workflow JNJira [ 157168 ] JNJira + In-Review [ 179533 ]
            oleg_nenashev Oleg Nenashev made changes -
            Assignee Gregory Boissinot [ gbois ] Oleg Nenashev [ oleg_nenashev ]
            oleg_nenashev Oleg Nenashev made changes -
            Link This issue duplicates JENKINS-29867 [ JENKINS-29867 ]
            oleg_nenashev Oleg Nenashev made changes -
            Status Open [ 1 ] Resolved [ 5 ]
            Resolution Fixed [ 1 ]

              People

              • Assignee:
                oleg_nenashev Oleg Nenashev
                Reporter:
                walterk82 Walter Kacynski
              • Votes:
                1 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: