Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-25031

Credentials metadata leak in ServerCredentialMapping

    Details

    • Similar Issues:

      Description

      ServerCredentialMapping.DescriptorImpl.doFillCredentialsIdItems should probably start with

      if (context == null || !context.hasPermission(Item.CONFIGURE)) {
          return new ListBoxModel();
      }
      

      lest it expose credentials IDs and descriptions to anonymous users.

      This is assuming that context is actually expected to be non-null. Though if so, why is CredentialsHelper.findValidCredentials ignoring it? If there is no item context, check something, such as Jenkins.getInstance().hasPermission(Jenkins.ADMINISTER).

        Attachments

          Activity

          jglick Jesse Glick created issue -
          jglick Jesse Glick made changes -
          Field Original Value New Value
          Link This issue is blocking SECURITY-158 [ SECURITY-158 ]
          scm_issue_link SCM/JIRA link daemon made changes -
          Status Open [ 1 ] Resolved [ 5 ]
          Resolution Fixed [ 1 ]
          rtyler R. Tyler Croy made changes -
          Workflow JNJira [ 158931 ] JNJira + In-Review [ 195931 ]

            People

            • Assignee:
              domi Dominik Bartholdi
              Reporter:
              jglick Jesse Glick
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: