[JENKINS-24287] EnvInject exposes password hashes - Jenkins Jira

XML

Word

Printable

Details

Type: Bug
Status: Resolved (View Workflow)
Priority: Critical
Resolution: Fixed
Component/s: envinject-plugin
Labels:
- security

Similar Issues:

Show

Description

Currently, if a user without configuration access to a job can read the job they have access to the link "Environment variables". This allows the non-privileged user to see the password hashes.

If they have Config access to a different folder on the same master, they can use this password hash to expose the password and take control of the account by using the CLI to directly change the job config.xml

I propose that this link or at least the password hashes be restricted to only users with job config access.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

config.xml
10 kB
2014-08-18 12:33
EnvInject.png
60 kB
2014-08-18 12:33

Issue Links

duplicates

JENKINS-29867 Add options, which allow disabling the Injected variables listings

Resolved

is related to

JENKINS-23447 Sensitive build variables recorded in EnvInjectSavable and displayed in EnvInjectAction

Resolved

JENKINS-29867 Add options, which allow disabling the Injected variables listings

Resolved

Activity

Ascending order - Click to sort in descending order

View 5 older comments

Jesse Glick added a comment - 2014-09-17 16:27

Not sure what “password hash” means in this context but is this just a duplicate of ~~JENKINS-23447~~?

Jesse Glick added a comment - 2014-09-17 16:27 Not sure what “password hash” means in this context but is this just a duplicate of JENKINS-23447 ?

Daniel Beck added a comment - 2014-09-17 17:11

jglick: No, this is about variables recognized by Env-Inject as passwords. They're only shown in encrypted form on the Injected Env Vars page, but that can be reused in another job in the same instance the malicious user has config access to: Just run env there and you "decrypted" the password.

Daniel Beck added a comment - 2014-09-17 17:11 jglick : No, this is about variables recognized by Env-Inject as passwords. They're only shown in encrypted form on the Injected Env Vars page, but that can be reused in another job in the same instance the malicious user has config access to: Just run env there and you "decrypted" the password.

Elliott Jones added a comment - 2015-04-20 13:37

Any thoughts on this being fixed? We have to use passwords managed by a separate IT team for our CI process thus this issue is of concern to them.

Elliott Jones added a comment - 2015-04-20 13:37 Any thoughts on this being fixed? We have to use passwords managed by a separate IT team for our CI process thus this issue is of concern to them.

Oleg Nenashev added a comment - 2015-10-12 10:17

~~JENKINS-29867~~ (https://github.com/jenkinsci/envinject-plugin/pull/57) should partially address this use-case in 1.92+

Oleg Nenashev added a comment - 2015-10-12 10:17 JENKINS-29867 ( https://github.com/jenkinsci/envinject-plugin/pull/57 ) should partially address this use-case in 1.92+

Oleg Nenashev added a comment - 2016-09-30 13:08

I think the ~~JENKINS-29867~~ fix is enough. Please reopen the issue if you expect something else to be delivered

Oleg Nenashev added a comment - 2016-09-30 13:08 I think the JENKINS-29867 fix is enough. Please reopen the issue if you expect something else to be delivered

People

Assignee:: Oleg Nenashev

Reporter:: Walter Kacynski

Votes:: 1 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 2014-08-15 13:36

Updated:: 2016-09-30 13:08

Resolved:: 2016-09-30 13:08