Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-25031

Credentials metadata leak in ServerCredentialMapping

    Details

    • Similar Issues:

      Description

      ServerCredentialMapping.DescriptorImpl.doFillCredentialsIdItems should probably start with

      if (context == null || !context.hasPermission(Item.CONFIGURE)) {
          return new ListBoxModel();
      }
      

      lest it expose credentials IDs and descriptions to anonymous users.

      This is assuming that context is actually expected to be non-null. Though if so, why is CredentialsHelper.findValidCredentials ignoring it? If there is no item context, check something, such as Jenkins.getInstance().hasPermission(Jenkins.ADMINISTER).

        Attachments

          Activity

            People

            • Assignee:
              domi Dominik Bartholdi
              Reporter:
              jglick Jesse Glick
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: