Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-18633

/me/my-views/editDescription may be used by any user to set global description

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Minor Minor
    • core
    • Windows7 using the integrated webserver using ActiveDirectory authentication and matrix based security.

      I have a user that has only the single right "Job: read", but is still allowed to change the description of the server (main heading) for everyone.

      Could be reproduced:

      This could also be tested by directly opening the URL:
      https://SERVERNAME/me/my-views/editDescription

          [JENKINS-18633] /me/my-views/editDescription may be used by any user to set global description

          Dominik Schwald created issue -

          edit: fixed markup

          Dominik Schwald added a comment - edit: fixed markup
          Dominik Schwald made changes -
          Description Original: I have a user that has only the single right "Job: read", but is still allowed to change the description of the server (main heading) for everyone.

          Could be reproduced:
          - log on as this user
            * main page shows up, but no link to change the description)
          - click on "my views"
            * this will open the URL https://SERVERNAME/me/my-views
              which is redirected to https://SERVERNAME/me/my-views/view/Alle/
            * On this page the global server description is writeable

          This could also be tested by directly opening the URL:
          https://SERVERNAME/me/my-views/editDescription

          New: I have a user that has only the single right "Job: read", but is still allowed to change the description of the server (main heading) for everyone.

          Could be reproduced:
          * log on as this user
          ** main page shows up, but no link to change the description)
          * click on "my views"
          ** this will open the URL https://SERVERNAME/me/my-views
          ** which is redirected to https://SERVERNAME/me/my-views/view/Alle/
          ** On this page the global server description is writeable

          This could also be tested by directly opening the URL:
          https://SERVERNAME/me/my-views/editDescription

          Raphael CHAUMIER made changes -
          Assignee New: Raphael CHAUMIER [ raphc ]
          Jesse Glick made changes -
          URL New: https://github.com/jenkinsci/jenkins/pull/906
          Labels New: security

          Jesse Glick added a comment -

          By the way, in the future please file security-related issues in https://issues.jenkins-ci.org/browse/SECURITY.

          Jesse Glick added a comment - By the way, in the future please file security-related issues in https://issues.jenkins-ci.org/browse/SECURITY .
          Raphael CHAUMIER made changes -
          Assignee Original: Raphael CHAUMIER [ raphc ]

          Jesse Glick added a comment -

          Reproducible in 1.509.3 using Mock Security Realm and global matrix authorization. Create a user with Overall/Read and Job/Read, log in, and My Views » Edit Description can be used to set global description.

          Attempted fix in https://github.com/jenkinsci/jenkins/pull/906 was closed; need a different fix.

          Jesse Glick added a comment - Reproducible in 1.509.3 using Mock Security Realm and global matrix authorization. Create a user with Overall/Read and Job/Read, log in, and My Views » Edit Description can be used to set global description. Attempted fix in https://github.com/jenkinsci/jenkins/pull/906 was closed; need a different fix.
          Jesse Glick made changes -
          URL Original: https://github.com/jenkinsci/jenkins/pull/906
          Labels Original: security New: lts-candidate security
          Summary Original: User with the right "READ" is able to change main server description New: /me/my-views/editDescription may be used by any user to set global description
          Jesse Glick made changes -
          Assignee New: Jesse Glick [ jglick ]

            jglick Jesse Glick
            dominik_ Dominik Schwald
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: