-
Bug
-
Resolution: Fixed
-
Critical
Currently, if a user without configuration access to a job can read the job they have access to the link "Environment variables". This allows the non-privileged user to see the password hashes.
If they have Config access to a different folder on the same master, they can use this password hash to expose the password and take control of the account by using the CLI to directly change the job config.xml
I propose that this link or at least the password hashes be restricted to only users with job config access.
- duplicates
-
JENKINS-29867 Add options, which allow disabling the Injected variables listings
-
- Resolved
-
- is related to
-
-
- Resolved
-
-
-
- Resolved
-
[JENKINS-24287] EnvInject exposes password hashes
Walter Kacynski
created issue -
| Labels | New: security |
Walter Kacynski
added a comment - I think that I forgot to mention that you need to configure a global password or use job level passwords from this plugin. Doing these options will show the environment variable as injected which cause this security problem.
Walter Kacynski
added a comment - I think that I forgot to mention that you need to configure a global password or use job level passwords from this plugin. Doing these options will show the environment variable as injected which cause this security problem. Walter Kacynski
made changes -
| Attachment | New: EnvInject.png [ 26605 ] | |
| Attachment | New: config.xml [ 26606 ] |
This still doesn't explain how other users that
have Config access to a difference folder on the same master, ... can use this password hash to expose the password and take control of the account
Walter Kacynski
added a comment - They can use the CLI to retrieve the config.xml and then paste this hash into the document and then update the job back to jenkins.
Walter Kacynski
added a comment - They can use the CLI to retrieve the config.xml and then paste this hash into the document and then update the job back to jenkins. Thanks for the explanation, makes sense. passwords should probably be hidden from this output completely, or just have the value (password hidden) or similar.
Walter Kacynski
made changes -
| Description |
Original:
Currently, if a user without configuration access to a job can read the job they have access to the link "Environment variables". This allows the non-privileged user to see the password hashes. If they have Config access to a difference folder on the same master, they can use this password hash to expose the password and take control of the account. I propose that this link or at least the password hashes be restricted to only users with job config access. |
New:
Currently, if a user without configuration access to a job can read the job they have access to the link "Environment variables". This allows the non-privileged user to see the password hashes. If they have Config access to a different folder on the same master, they can use this password hash to expose the password and take control of the account by using the CLI to directly change the job config.xml I propose that this link or at least the password hashes be restricted to only users with job config access. |
| Link |
New:
This issue is related to |
Could you provide steps to reproduce this?