[JENKINS-23627] Overall.READ is sufficient to access /administrativeMonitor/hudsonHomeIsFull/

Type: Bug
Resolution: Fixed
Priority: Minor
Component/s: core
Labels:
- 1.565.1-fixed
- security

Similar Issues:
Powered by SuggestiMate

Show
URL:
https://github.com/jenkinsci/jenkins/pull/1283

This does not appear to really be an issue by itself, but it might be in the case of carelessly implemented Solution's to this problem that don't check permissions in message.jelly and expose private data on the overview page (even if checking permissions for any associated actions).

Daniel Beck created issue - 2014-04-27 13:18

Daniel Beck added a comment - 2014-04-27 13:27

It also exposes the path to JENKINS_HOME which will reveal master OS and could reveal configuration details. I don't think this should be public.

Daniel Beck added a comment - 2014-04-27 13:27 It also exposes the path to JENKINS_HOME which will reveal master OS and could reveal configuration details. I don't think this should be public.

Daniel Beck added a comment - 2014-05-10 22:26

Like SECURITY-133, this is fairly harmless and a fix can probably be released in a regular release. Again, let me know if I should not release the fix.

$ git show e7f72e5
commit e7f72e502377138a36e65d52d3c2b7311b07a5ec
Author: Daniel Beck <daniel-beck@github.com>
Date:   Sun May 11 00:19:45 2014 +0200

    [FIX SECURITY-134] Restrict access to admin monitor info page
    
    This could contain sensitive information in the list of solutions
    provided. It also shows the path to JENKINS_HOME, exposing OS and
    configuration information.

diff --git a/core/src/main/resources/hudson/diagnosis/HudsonHomeDiskUsageMonitor/index.jelly b/core/src/main/resources/hudson/diagnosis/Hudso
index fb29dd5..eb39bea 100644
--- a/core/src/main/resources/hudson/diagnosis/HudsonHomeDiskUsageMonitor/index.jelly
+++ b/core/src/main/resources/hudson/diagnosis/HudsonHomeDiskUsageMonitor/index.jelly
@@ -24,7 +24,7 @@ THE SOFTWARE.
 
 <?jelly escape-by-default='true'?>
 <j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:d="jelly:define" xmlns:l="/lib/layout" xmlns:t="/lib/hudson" xmlns:f="/lib/form
-       <l:layout title="${%JENKINS_HOME is almost full}">
+       <l:layout title="${%JENKINS_HOME is almost full}" permission="${app.ADMINISTER}">
                <l:main-panel>
       <h1>
         <img src="${imagesURL}/48x48/warning.png" height="48" width="48" />

Daniel Beck added a comment - 2014-05-10 22:26 Like SECURITY-133, this is fairly harmless and a fix can probably be released in a regular release. Again, let me know if I should not release the fix. $ git show e7f72e5 commit e7f72e502377138a36e65d52d3c2b7311b07a5ec Author: Daniel Beck <daniel-beck@github.com> Date: Sun May 11 00:19:45 2014 +0200 [FIX SECURITY-134] Restrict access to admin monitor info page This could contain sensitive information in the list of solutions provided. It also shows the path to JENKINS_HOME, exposing OS and configuration information. diff --git a/core/src/main/resources/hudson/diagnosis/HudsonHomeDiskUsageMonitor/index.jelly b/core/src/main/resources/hudson/diagnosis/Hudso index fb29dd5..eb39bea 100644 --- a/core/src/main/resources/hudson/diagnosis/HudsonHomeDiskUsageMonitor/index.jelly +++ b/core/src/main/resources/hudson/diagnosis/HudsonHomeDiskUsageMonitor/index.jelly @@ -24,7 +24,7 @@ THE SOFTWARE. <?jelly escape-by- default = ' true ' ?> <j:jelly xmlns:j= "jelly:core" xmlns:st= "jelly:stapler" xmlns:d= "jelly:define" xmlns:l= "/lib/layout" xmlns:t= "/lib/hudson" xmlns:f="/lib/form - <l:layout title= "${%JENKINS_HOME is almost full}" > + <l:layout title= "${%JENKINS_HOME is almost full}" permission= "${app.ADMINISTER}" > <l:main-panel> <h1> <img src= "${imagesURL}/48x48/warning.png" height= "48" width= "48" />

Jesse Glick made changes - 2014-06-16 19:54

Status

Original: Untriaged [ 10001 ]

New: Open [ 1 ]

Jesse Glick made changes - 2014-06-16 19:54

Status

Original: Open [ 1 ]

New: Fix Prepared [ 10002 ]

Jesse Glick made changes - 2014-06-16 19:54

URL

New: https://github.com/jenkinsci/jenkins/pull/1283

Jesse Glick added a comment - 2014-06-26 20:14

Was merged for a regular release.

Jesse Glick added a comment - 2014-06-26 20:14 Was merged for a regular release.

Jesse Glick made changes - 2014-06-26 20:14

Resolution		New: Fixed [ 1 ]
Status	Original: Fix Prepared [ 10002 ]	New: Resolved [ 5 ]

Jesse Glick made changes - 2014-06-30 16:37

Component/s		New: core [ 15593 ]
Component/s	Original: core [ 15738 ]
Key	Original: ~~SECURITY-134~~	New: ~~JENKINS-23627~~
Project	Original: Security Issues [ 10180 ]	New: Jenkins [ 10172 ]
Workflow	Original: Security v1.2 [ 154895 ]	New: JNJira [ 156410 ]

Jesse Glick made changes - 2014-06-30 16:38

Labels

New: security

Assignee:: Kohsuke Kawaguchi

Reporter:: Daniel Beck

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Created:: 2014-04-27 13:18

Updated:: 2014-07-03 13:56

Resolved:: 2014-06-26 20:14

Jenkins

Details

Description

Attachments

Activity

Collapse comment: Daniel Beck added a comment - 2014-04-27 13:27

Expand comment: Daniel Beck added a comment - 2014-04-27 13:27

Collapse comment: Daniel Beck added a comment - 2014-05-10 22:26

Expand comment: Daniel Beck added a comment - 2014-05-10 22:26

Collapse comment: Jesse Glick added a comment - 2014-06-26 20:14

Expand comment: Jesse Glick added a comment - 2014-06-26 20:14

People

Dates