Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-25031

Credentials metadata leak in ServerCredentialMapping

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      ServerCredentialMapping.DescriptorImpl.doFillCredentialsIdItems should probably start with

      if (context == null || !context.hasPermission(Item.CONFIGURE)) {
          return new ListBoxModel();
      }
      

      lest it expose credentials IDs and descriptions to anonymous users.

      This is assuming that context is actually expected to be non-null. Though if so, why is CredentialsHelper.findValidCredentials ignoring it? If there is no item context, check something, such as Jenkins.getInstance().hasPermission(Jenkins.ADMINISTER).

        Attachments

          Activity

          Hide
          scm_issue_link SCM/JIRA link daemon added a comment -

          Code changed in jenkins
          User: imod
          Path:
          src/main/java/org/jenkinsci/plugins/configfiles/maven/security/ServerCredentialMapping.java
          http://jenkins-ci.org/commit/config-file-provider-plugin/ca3c5a44bd45d0e850485fb9292be87b789281b0
          Log:
          [FIXED JENKINS-25031] don't leak ServerCredentialMapping

          Show
          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: imod Path: src/main/java/org/jenkinsci/plugins/configfiles/maven/security/ServerCredentialMapping.java http://jenkins-ci.org/commit/config-file-provider-plugin/ca3c5a44bd45d0e850485fb9292be87b789281b0 Log: [FIXED JENKINS-25031] don't leak ServerCredentialMapping

            People

            • Assignee:
              domi Dominik Bartholdi
              Reporter:
              jglick Jesse Glick
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: