Loading...

XML

Word

Printable

Type: Improvement
Resolution: Fixed
Priority: Major
Component/s: core
Labels:
- security
- user-experience

Similar Issues:

Show
Released As:
2.289.1, 2.286

As described here:

http://www.labofapenetrationtester.com/2014/08/script-execution-and-privilege-esc-jenkins.html

A user with "configure" privileges can execute arbitrary code in the context of the application server running jenkins, and leverage this to bypass authentication and take full control of the jenkins server. This is only a problem because the security matrix seems to be designed to separate privileges, and the fact a user with "configure" privs for a single project can take over the whole server is non-obvious to administrators.

Do you think this is something that constitutes a legitimate flaw to fix? Or more just something to be documented?

is duplicated by

JENKINS-49861 Disable master executors by default for Jenkins Essentials

Resolved

JENKINS-33555 Provide option to disable master build executors while starting service

Resolved

is related to

JENKINS-30749 Jenkins should be secure out of the box by default

Resolved

JENKINS-46652 Authorize Project blocks Pipeline Jobs when Computer/Build for master is lacking

Resolved

relates to

JENKINS-22949 QueueItemAuthenticator fallback behavior cleanup

Resolved

JENKINS-56617 Node-based security is ignored with pipelines

Resolved

links to

CloudBees Internal OSS-2267

jenkins PR 3919

(1 relates to, 2 links to)

Assignee:: Unassigned

Reporter:: David Jorm

Votes:: 1 Vote for this issue

Watchers:: 13 Start watching this issue

Created:: 2014-08-21 07:30

Updated:: 2022-04-19 21:48

Resolved:: 2021-07-07 08:50

Details

Description

Attachments

Issue Links

Activity

People

Dates