Uploaded image for project: 'Infrastructure'
  1. Infrastructure
  2. INFRA-2069

Script-security plugin enable print password credentials without approbation

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      In pipeline job, it' s possible to invocate Jenkins.instance and parse globals credentials and print credentials password.

      Need to deselect Use groovy Sandbox. User just need to have  job/read/ job/build and Global/read.

      script-security plugin in version 1.44 or above.

       

       

       

        Attachments

          Activity

          olivieratsncf olivier G created issue -
          Hide
          olivieratsncf olivier G added a comment -

          Sorry not infra but jenkins issue

          Show
          olivieratsncf olivier G added a comment - Sorry not infra but jenkins issue
          olivieratsncf olivier G made changes -
          Field Original Value New Value
          Resolution Won't Do [ 10001 ]
          Status Open [ 1 ] Closed [ 6 ]
          Hide
          rtyler R. Tyler Croy added a comment -

          Do not disable the Groovy sandbox

          Disabling the sandbox removes ALL security checks.

          Show
          rtyler R. Tyler Croy added a comment - Do not disable the Groovy sandbox Disabling the sandbox removes ALL security checks.
          Hide
          olivieratsncf olivier G added a comment -

          I understand, but how can we prevent a user from disabling the Groovy sandbox?

          Should not there be a configuration at the admin level to prevent it?

          Show
          olivieratsncf olivier G added a comment - I understand, but how can we prevent a user from disabling the Groovy sandbox? Should not there be a configuration at the admin level to prevent it?
          Hide
          rtyler R. Tyler Croy added a comment -

          From my recollection, users without admin privileges cannot disable the groovy sandbox without administrator approval.

          If users are able to disable the groovy sandbox, they're likely admins and can do much much worse

          Show
          rtyler R. Tyler Croy added a comment - From my recollection, users without admin privileges cannot disable the groovy sandbox without administrator approval. If users are able to disable the groovy sandbox, they're likely admins and can do much much worse
          Hide
          olivieratsncf olivier G added a comment -

          This is what I want. But in my case, in the folder, a non admin user with job / configure right on folder could do the same.

          Show
          olivieratsncf olivier G added a comment - This is what I want. But in my case, in the folder, a non admin user with job / configure right on folder could do the same.

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            olivieratsncf olivier G
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: