Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-18211

password are commited in plain text

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Critical Critical
    • redmine-plugin
    • None

      From my understanding jenkins saves alls password as AES encrypted strings not in plain text, e.g authentication provider strings.
      It look like the scm plugin collects the form data before this encryption took place, so the password are submitted in plain text into scm provider. This is a big security issue if you wanna give non admin people acccess to the config backup in scm. If anyone can read password someone typed in secretly that is a big problem.
      At least its shall be configurable to submit password unencrypted but defaults to encrypted, thats the way jenkins also saves config data on disk.

            ljader Łukasz Jąder
            cforce cforce
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved: