-
Improvement
-
Resolution: Not A Defect
-
Major
-
None
-
Jenkins 2.46.3
The `crumbsIssuer` should be accessible (configurable) to anyone (ie: anonymous) even if anonymous read access is disabled as it prevents access to the API for commit hooks that do not require explicit authentication.
For example, in a commit hook that is trying to remotely trigger a build using an authentication token, the commit hook does not require specific username/password authentication. However, in order to retrieve the necessary CSRF crumb to pass to the POST request, it requires authentication credentials to retrieve it from the `crumbsIssuer` endpoint.
Steps to reproduce:
- disable anonymous access to Jenkins
- try to access the crumbsIssuer endpoint (http://JENKINSHOST/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)