Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-15213

email-ext 2.22+ allows any user with configure permission for a single job to circumvent Jenkins security

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Major Major
    • email-ext-plugin
    • None
    • Since 2.22, including 2.24.1

      The ability to run a script prior to sending email was introduced in email-ext, a plugin with 10k+ installations, version 2.22 for JENKINS-12421.

      This allows users to exploit their job configure privilege for a single job to gain access to all of Jenkins, circumventing any security measures.

      Steps to reproduce

      1. In project based matrix security (most severe permissions issue), give "User" overall read permission. Create job "Job" and give read/configure/build permissions to "User"
      2. Log out and back in as "User"
      3. Configure "Job" to send email-ext (upon success).
      4. Set the pre-build script to e.g. "Hudson.instance.doQuietDown()" or "Hudson.instance.projects.each

      { it.disable() }

      "
      5. Start a build

      Result

      Jenkins is quieting down, or all projects have been disabled, depending on the script. Everything else is possible as well.

      Notes

      This feature cannot be deactivated, like Groovy Postbuild's "restrict access to internal objects", or used in a safe way by privileged users only, like Groovy's requiring administration permissions for adding or editing Groovy System build steps.

      This issue is identical to SECURITY-35 of June 23rd. Maybe it will get a better response as a public issue.

            slide_o_mix Alex Earl
            danielbeck Daniel Beck
            Votes:
            2 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved: