Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-34427

Sonar user password is stored in plain text in every job configuration

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Critical
    • Resolution: Fixed
    • Component/s: quality-gates-plugin
    • Labels:
      None
    • Environment:
      Quality Gates Plugin version 2.3
      Jenkins core version 1.652
    • Similar Issues:

      Description

      The sonar user password that the admin configured in the system configuration is stored in plain text in every job configuration.
      Thats a security issue.
      Im also not sure what will happen, if the admin changed the password in the system configuration. Has the job then still the old password and problems to access sonar?

        Attachments

          Activity

          Hide
          ivanash Ivana Sh added a comment -

          Hi Stefan,
          we left the password for the Sonar like that because it is default password and username for every Sonar installation,
          so in any case if you have Sonar installed you should change the default password because otherwise it will be that one.
          Then in the the global configuration you will put your new password(the changed one) and it will be ok.

          Show
          ivanash Ivana Sh added a comment - Hi Stefan, we left the password for the Sonar like that because it is default password and username for every Sonar installation, so in any case if you have Sonar installed you should change the default password because otherwise it will be that one. Then in the the global configuration you will put your new password(the changed one) and it will be ok.
          Hide
          jochenafuerbacher Jochen A. Fürbacher added a comment - - edited

          Hi Ivana,

          I see two problems Stefan mentioned:

          • Security: When you configure the sonar instance globally and configure a job to use this sonar instance, then the CURRENT password of the sonar instance (that one, that's configured globally) get's also stored in the job configuration. All users (also those without admin rights) can see that password. It's not just the default password!
          • (Not sure about that) When the admin configures a sonar instance globally, and a job get's configured to use that instance (how discribed above), the current password get's stored in the job configuration. When the admin changes to password for one this sonar instance, then the old password stays remain in the job config.

          Stefan and I noticed another major security issue: When the admin does a global configuration, the credentials (incl. the sonar password) get's logged in plaintext!

          Show
          jochenafuerbacher Jochen A. Fürbacher added a comment - - edited Hi Ivana, I see two problems Stefan mentioned: Security: When you configure the sonar instance globally and configure a job to use this sonar instance, then the CURRENT password of the sonar instance (that one, that's configured globally) get's also stored in the job configuration. All users (also those without admin rights) can see that password. It's not just the default password! (Not sure about that) When the admin configures a sonar instance globally, and a job get's configured to use that instance (how discribed above), the current password get's stored in the job configuration. When the admin changes to password for one this sonar instance, then the old password stays remain in the job config. Stefan and I noticed another major security issue: When the admin does a global configuration, the credentials (incl. the sonar password) get's logged in plaintext!
          Hide
          stefanbrausch Stefan Brausch added a comment -

          Screenshot from JobConfigHistory output added

          Show
          stefanbrausch Stefan Brausch added a comment - Screenshot from JobConfigHistory output added
          Hide
          ivanash Ivana Sh added a comment -

          Hi Stefan and Jochen,

          thank you for your remarks, we will try to resolve this as soon as possible.

          Cheers.

          Show
          ivanash Ivana Sh added a comment - Hi Stefan and Jochen, thank you for your remarks, we will try to resolve this as soon as possible. Cheers.
          Hide
          ivanash Ivana Sh added a comment -

          Hi,
          we resolved the issues, so you can check them now, and give us feedback
          Thanks,
          Cheers

          Show
          ivanash Ivana Sh added a comment - Hi, we resolved the issues, so you can check them now, and give us feedback Thanks, Cheers
          Hide
          jochenafuerbacher Jochen A. Fürbacher added a comment -

          Hi Ivana,

          thank you very much! We tested it and it workes well.
          Great job! It's great to have such a useful plugin, now.

          Cheers!

          Show
          jochenafuerbacher Jochen A. Fürbacher added a comment - Hi Ivana, thank you very much! We tested it and it workes well. Great job! It's great to have such a useful plugin, now. Cheers!
          Hide
          jochenafuerbacher Jochen A. Fürbacher added a comment -

          Fixed.

          Show
          jochenafuerbacher Jochen A. Fürbacher added a comment - Fixed.
          Hide
          stefanbrausch Stefan Brausch added a comment -

          Thanks a lot. Good work

          Show
          stefanbrausch Stefan Brausch added a comment - Thanks a lot. Good work

            People

            • Assignee:
              ivanash Ivana Sh
              Reporter:
              stefanbrausch Stefan Brausch
            • Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: