[JENKINS-24287] EnvInject exposes password hashes

Type: Bug
Resolution: Fixed
Priority: Critical
Component/s: envinject-plugin
Labels:
- security

Similar Issues:
Powered by SuggestiMate

Show

Currently, if a user without configuration access to a job can read the job they have access to the link "Environment variables". This allows the non-privileged user to see the password hashes.

If they have Config access to a different folder on the same master, they can use this password hash to expose the password and take control of the account by using the CLI to directly change the job config.xml

I propose that this link or at least the password hashes be restricted to only users with job config access.

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List
  - Download All

EnvInject.png
60 kB
2014-08-18 12:33
config.xml
10 kB
2014-08-18 12:33

duplicates

JENKINS-29867 Add options, which allow disabling the Injected variables listings

Resolved

is related to

JENKINS-23447 Sensitive build variables recorded in EnvInjectSavable and displayed in EnvInjectAction

Resolved

JENKINS-29867 Add options, which allow disabling the Injected variables listings

Resolved

Walter Kacynski created issue - 2014-08-15 13:36

Daniel Beck made changes - 2014-08-15 15:16

Labels

New: security

Walter Kacynski made changes - 2014-08-18 12:33

Attachment		New: EnvInject.png [ 26605 ]
Attachment		New: config.xml [ 26606 ]

Walter Kacynski made changes - 2014-09-10 14:47

Description

Original: Currently, if a user without configuration access to a job can read the job they have access to the link "Environment variables". This allows the non-privileged user to see the password hashes.

If they have Config access to a difference folder on the same master, they can use this password hash to expose the password and take control of the account.

I propose that this link or at least the password hashes be restricted to only users with job config access.

New: Currently, if a user without configuration access to a job can read the job they have access to the link "Environment variables". This allows the non-privileged user to see the password hashes.

If they have Config access to a different folder on the same master, they can use this password hash to expose the password and take control of the account by using the CLI to directly change the job config.xml

I propose that this link or at least the password hashes be restricted to only users with job config access.

Jesse Glick made changes - 2014-09-17 16:27

Link

New: This issue is related to ~~JENKINS-23447~~ [ ~~JENKINS-23447~~ ]

Jesse Glick made changes - 2014-10-07 13:52

Link

New: This issue is duplicated by SECURITY-82 [ SECURITY-82 ]

Oleg Nenashev made changes - 2015-10-12 10:17

Link

New: This issue is related to ~~JENKINS-29867~~ [ ~~JENKINS-29867~~ ]

R. Tyler Croy made changes - 2016-07-25 23:51

Workflow

Original: JNJira [ 157168 ]

New: JNJira + In-Review [ 179533 ]

Oleg Nenashev made changes - 2016-09-30 13:07

Assignee

Original: Gregory Boissinot [ gbois ]

New: Oleg Nenashev [ oleg_nenashev ]

Oleg Nenashev made changes - 2016-09-30 13:08

Link

New: This issue duplicates ~~JENKINS-29867~~ [ ~~JENKINS-29867~~ ]

Oleg Nenashev made changes - 2016-09-30 13:08

Resolution		New: Fixed [ 1 ]
Status	Original: Open [ 1 ]	New: Resolved [ 5 ]

Assignee:: Oleg Nenashev

Reporter:: Walter Kacynski

Votes:: 1 Vote for this issue

Watchers:: 3 Start watching this issue

Created:: 2014-08-15 13:36

Updated:: 2016-09-30 13:08

Resolved:: 2016-09-30 13:08

Jenkins

Details

Description

Attachments

Attachments

Issue Links

Activity

People

Dates