Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-24287

EnvInject exposes password hashes

    XMLWordPrintable

Details

    Description

      Currently, if a user without configuration access to a job can read the job they have access to the link "Environment variables". This allows the non-privileged user to see the password hashes.

      If they have Config access to a different folder on the same master, they can use this password hash to expose the password and take control of the account by using the CLI to directly change the job config.xml

      I propose that this link or at least the password hashes be restricted to only users with job config access.

      Attachments

        Issue Links

          duplicates

          New Feature - A new feature of the product, which has yet to be developed. JENKINS-29867 Add options, which allow disabling the Injected variables listings

          • Major - Major loss of function.
          • Resolved
          is related to

          Bug - A problem which impairs or prevents the functions of the product. JENKINS-23447 Sensitive build variables recorded in EnvInjectSavable and displayed in EnvInjectAction

          • Critical - Crashes, loss of data, severe memory leak.
          • Resolved

          New Feature - A new feature of the product, which has yet to be developed. JENKINS-29867 Add options, which allow disabling the Injected variables listings

          • Major - Major loss of function.
          • Resolved

          Activity

            People

              oleg_nenashev Oleg Nenashev
              walterk82 Walter Kacynski
              Votes:
              1 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: