Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-24513

Zero executors on master not well documented or enforced

    • 2.289.1, 2.286

      As described here:

      http://www.labofapenetrationtester.com/2014/08/script-execution-and-privilege-esc-jenkins.html

      A user with "configure" privileges can execute arbitrary code in the context of the application server running jenkins, and leverage this to bypass authentication and take full control of the jenkins server. This is only a problem because the security matrix seems to be designed to separate privileges, and the fact a user with "configure" privs for a single project can take over the whole server is non-obvious to administrators.

      Do you think this is something that constitutes a legitimate flaw to fix? Or more just something to be documented?

          [JENKINS-24513] Zero executors on master not well documented or enforced

          David Jorm created issue -
          Jesse Glick made changes -
          Assignee Original: Kohsuke Kawaguchi [ kohsuke ]
          Issue Type Original: Bug [ 1 ] New: Improvement [ 4 ]
          Summary Original: Potential privilege escalation issue New: Zero executors on master not well documented or enforced
          Kohsuke Kawaguchi made changes -
          Component/s New: core [ 15593 ]
          Component/s Original: core [ 15738 ]
          Key Original: SECURITY-156 New: JENKINS-24513
          Project Original: Security Issues [ 10180 ] New: Jenkins [ 10172 ]
          Workflow Original: Security v1.2 [ 157284 ] New: JNJira [ 157499 ]
          Status Original: Untriaged [ 10001 ] New: Open [ 1 ]
          Jesse Glick made changes -
          Labels New: security
          Jesse Glick made changes -
          Link New: This issue is related to JENKINS-30749 [ JENKINS-30749 ]
          Jesse Glick made changes -
          Labels Original: security New: 2.0 security
          Kohsuke Kawaguchi made changes -
          Labels Original: 2.0 security New: security
          R. Tyler Croy made changes -
          Workflow Original: JNJira [ 157499 ] New: JNJira + In-Review [ 179555 ]
          Jesse Glick made changes -
          Link New: This issue is duplicated by JENKINS-33555 [ JENKINS-33555 ]
          Jesse Glick made changes -
          Link New: This issue is duplicated by SECURITY-480 [ SECURITY-480 ]
          Jesse Glick made changes -
          Link New: This issue relates to JENKINS-22949 [ JENKINS-22949 ]

            Unassigned Unassigned
            dfj David Jorm
            Votes:
            1 Vote for this issue
            Watchers:
            13 Start watching this issue

              Created:
              Updated:
              Resolved: