Status: Resolved (View Workflow)
Job import plugin has the "Passwor/API key" in cleartext. Contents of this field are stored on the server so anyone can see the password of the user that previously imported jobs via the plugin.
I understand that API keys are preferred to be in cleartext. So ideal solution may be to split this into two separate fields: Password that will be a real password field (with obscured input) and API key that will show the key in cleartext.
- is duplicated by
JENKINS-33307 Password not Masked when Importing from Secured Jenkins Instance
- links to
If First user completes his Job import, and when the next user goes to http://myjenkins.com/job-import, he is clearly able to see first user's user name and password. If second user wishes, he can continue to use the first users credential and even hack anything with that credential. A serious issues on this plugin, needs immediate fix. May be clearing off the User and Password field with every new session is a good idea
fully agree with David, just found a password of one of my colleagues, and likely several of my colleagues now know mine. At least at the GUI, this must be prevented.....
Anyone here to fix this as suggested by David ?
Code changed in jenkins
User: Emilio Escobar
Merge pull request #10 from qais-yousef/1.3-fix
JENKINS-33379 JENKINS-22942 missing values inside textboxes
it's indeed really sad to display password as cleartext on 'import settings' page