-
Type:
Bug
-
Resolution: Fixed
-
Priority:
Critical
-
Component/s: envinject-plugin
Currently, if a user without configuration access to a job can read the job they have access to the link "Environment variables". This allows the non-privileged user to see the password hashes.
If they have Config access to a different folder on the same master, they can use this password hash to expose the password and take control of the account by using the CLI to directly change the job config.xml
I propose that this link or at least the password hashes be restricted to only users with job config access.
- duplicates
-
JENKINS-29867 Add options, which allow disabling the Injected variables listings
-
- Resolved
-
- is related to
-
-
- Resolved
-
-
-
- Resolved
-
