[JENKINS-22942] Job Import Plugin: Password field is cleartext

Type: Bug
Resolution: Fixed
Priority: Blocker
Component/s: job-import-plugin
Labels:
- security
Environment:
RHEL6

Similar Issues:
Powered by SuggestiMate

Show

Job import plugin has the "Passwor/API key" in cleartext. Contents of this field are stored on the server so anyone can see the password of the user that previously imported jobs via the plugin.

I understand that API keys are preferred to be in cleartext. So ideal solution may be to split this into two separate fields: Password that will be a real password field (with obscured input) and API key that will show the key in cleartext.

is duplicated by

JENKINS-33307 Password not Masked when Importing from Secured Jenkins Instance

Resolved

links to

Pawel Defee created issue - 2014-05-09 08:04

Alexandre Aubert added a comment - 2015-07-29 07:09

it's indeed really sad to display password as cleartext on 'import settings' page

Alexandre Aubert added a comment - 2015-07-29 07:09 it's indeed really sad to display password as cleartext on 'import settings' page

Sagayaraj David added a comment - 2015-08-21 05:37 - edited

If First user completes his Job import, and when the next user goes to http://myjenkins.com/job-import, he is clearly able to see first user's user name and password. If second user wishes, he can continue to use the first users credential and even hack anything with that credential. A serious issues on this plugin, needs immediate fix. May be clearing off the User and Password field with every new session is a good idea

Sagayaraj David added a comment - 2015-08-21 05:37 - edited If First user completes his Job import, and when the next user goes to http://myjenkins.com/job-import , he is clearly able to see first user's user name and password. If second user wishes, he can continue to use the first users credential and even hack anything with that credential. A serious issues on this plugin, needs immediate fix. May be clearing off the User and Password field with every new session is a good idea

Sagayaraj David made changes - 2015-08-21 05:37

Priority

Original: Minor [ 4 ]

New: Blocker [ 1 ]

Don Schiewer made changes - 2015-10-02 17:01

Labels

New: security

gerhard6 added a comment - 2015-10-09 06:00

fully agree with David, just found a password of one of my colleagues, and likely several of my colleagues now know mine. At least at the GUI, this must be prevented.....

Anyone here to fix this as suggested by David ?

gerhard6 added a comment - 2015-10-09 06:00 fully agree with David, just found a password of one of my colleagues, and likely several of my colleagues now know mine. At least at the GUI, this must be prevented..... Anyone here to fix this as suggested by David ?

Emilio Escobar made changes - 2016-04-01 09:02

Assignee

New: Emilio Escobar [ escoem ]

Emilio Escobar made changes - 2016-04-01 09:02

Status

Original: Open [ 1 ]

New: In Progress [ 3 ]

Emilio Escobar made changes - 2016-04-01 09:04

Link

New: This issue is duplicated by ~~JENKINS-33307~~ [ ~~JENKINS-33307~~ ]

Emilio Escobar made changes - 2016-04-01 09:12

Remote Link

New: This issue links to "PR (Web Link)" [ 14145 ]

Assignee:: Emilio Escobar

Reporter:: Pawel Defee

Votes:: 7 Vote for this issue

Watchers:: 13 Start watching this issue

Created:: 2014-05-09 08:04

Updated:: 2016-04-01 10:00

Resolved:: 2016-04-01 10:00

Jenkins

Details

Description

Attachments

Issue Links

Activity

Collapse comment: Alexandre Aubert added a comment - 2015-07-29 07:09

Expand comment: Alexandre Aubert added a comment - 2015-07-29 07:09

Collapse comment: Sagayaraj David added a comment - 2015-08-21 05:37, Edited by Sagayaraj David - 2015-08-21 05:38

Expand comment: Sagayaraj David added a comment - 2015-08-21 05:37, Edited by Sagayaraj David - 2015-08-21 05:38

Collapse comment: gerhard6 added a comment - 2015-10-09 06:00

Expand comment: gerhard6 added a comment - 2015-10-09 06:00

People

Dates