Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-19724

Monitor Maven Process - Environment Variables allows user to see unencrypted passwords

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Duplicate
    • Icon: Major Major
    • maven-plugin
    • None

      When running a maven job, it is possible to monitor the maven process.

      Upon clicking on the 'Monitor Maven Process' link (http://my-jenkins:8080/job/MyMavenJob/123/probe/?), a page opens with the following options in the left column:

      • System Properties
      • Environment Variables
      • Thread Dump
      • Script Console

      Clicking on either System Properties (http://my-jenkins:8080/job/MyMavenJob/123/probe/systemProperties) and/or Environment Variables (http://my-jenkins:8080/job/MyMavenJob/123/probe/envVars) it is possible to see all the passwords set in the Jenkins Management pages in plain text.

      In contrast, the Environment Variables of a free-style job show the same table, but with the encrypted Password values.
      http://my-jenkins:8080/job/MyFreeStyleJob/12/injectedEnvVars/?

      Am I doing anything wrong here or is there a bug in the presentation of such passwords?

      Just for completeness, I have the Mask Passwords Plugin installed and the following configured in my Maven Job.

      • Inject passwords to the build as environment variables
        • Global Passwords
      • Mask passwords (and enable global passwords)

      Thanks a lot,
      Steve

            Unassigned Unassigned
            lostinberlin Steve Boardwell
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: