Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-25035

Credentials metadata leak in MqttNotifier

    Details

    • Similar Issues:

      Description

      MqttNotifier.DescriptorImpl.doFillCredentialsIdItems should take @AncestorInPath Item context to be used in place of Jenkins.getInstance(), and start with

      if (context == null || !context.hasPermission(Item.CONFIGURE)) {
          return new ListBoxModel();
      }
      

      lest it expose credentials IDs and descriptions to anonymous users.

        Attachments

          Activity

            People

            • Assignee:
              gareth_western Gareth Western
              Reporter:
              jglick Jesse Glick
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: