Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-25035

Credentials metadata leak in MqttNotifier

    Details

    • Similar Issues:

      Description

      MqttNotifier.DescriptorImpl.doFillCredentialsIdItems should take @AncestorInPath Item context to be used in place of Jenkins.getInstance(), and start with

      if (context == null || !context.hasPermission(Item.CONFIGURE)) {
          return new ListBoxModel();
      }
      

      lest it expose credentials IDs and descriptions to anonymous users.

        Attachments

          Activity

          jglick Jesse Glick created issue -
          jglick Jesse Glick made changes -
          Field Original Value New Value
          Link This issue is blocking SECURITY-158 [ SECURITY-158 ]
          gareth_western Gareth Western made changes -
          Assignee Gareth Western [ gareth_western ]
          Hide
          gareth_western Gareth Western added a comment - - edited

          Thanks for the bug report! I'll try to get this patched and published sometime this week.

          Show
          gareth_western Gareth Western added a comment - - edited Thanks for the bug report! I'll try to get this patched and published sometime this week.
          gareth_western Gareth Western made changes -
          Status Open [ 1 ] In Progress [ 3 ]
          gareth_western Gareth Western made changes -
          Status In Progress [ 3 ] Open [ 1 ]
          gareth_western Gareth Western made changes -
          Status Open [ 1 ] In Progress [ 3 ]
          Hide
          gareth_western Gareth Western added a comment -

          To be released in 1.3

          Show
          gareth_western Gareth Western added a comment - To be released in 1.3
          gareth_western Gareth Western made changes -
          Status In Progress [ 3 ] Resolved [ 5 ]
          Resolution Fixed [ 1 ]
          Hide
          scm_issue_link SCM/JIRA link daemon added a comment -

          Code changed in jenkins
          User: Gareth Western
          Path:
          src/main/java/jenkins/plugins/mqttnotification/MqttNotifier.java
          http://jenkins-ci.org/commit/mqtt-notification-plugin/7d945beb5380bcbaa6407e67c0e7fdfe44c1ae7f
          Log:
          JENKINS-25035 Guard against credentials leak

          Show
          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Gareth Western Path: src/main/java/jenkins/plugins/mqttnotification/MqttNotifier.java http://jenkins-ci.org/commit/mqtt-notification-plugin/7d945beb5380bcbaa6407e67c0e7fdfe44c1ae7f Log: JENKINS-25035 Guard against credentials leak
          rtyler R. Tyler Croy made changes -
          Workflow JNJira [ 158935 ] JNJira + In-Review [ 195932 ]
          gareth_western Gareth Western made changes -
          Status Resolved [ 5 ] Closed [ 6 ]

            People

            • Assignee:
              gareth_western Gareth Western
              Reporter:
              jglick Jesse Glick
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: