Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-24513

Zero executors on master not well documented or enforced

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      As described here:

      http://www.labofapenetrationtester.com/2014/08/script-execution-and-privilege-esc-jenkins.html

      A user with "configure" privileges can execute arbitrary code in the context of the application server running jenkins, and leverage this to bypass authentication and take full control of the jenkins server. This is only a problem because the security matrix seems to be designed to separate privileges, and the fact a user with "configure" privs for a single project can take over the whole server is non-obvious to administrators.

      Do you think this is something that constitutes a legitimate flaw to fix? Or more just something to be documented?

        Attachments

          Issue Links

            Activity

            dfj David Jorm created issue -
            jglick Jesse Glick made changes -
            Field Original Value New Value
            Assignee Kohsuke Kawaguchi [ kohsuke ]
            Issue Type Bug [ 1 ] Improvement [ 4 ]
            Summary Potential privilege escalation issue Zero executors on master not well documented or enforced
            kohsuke Kohsuke Kawaguchi made changes -
            Component/s core [ 15593 ]
            Component/s core [ 15738 ]
            Key SECURITY-156 JENKINS-24513
            Project Security Issues [ 10180 ] Jenkins [ 10172 ]
            Workflow Security v1.2 [ 157284 ] JNJira [ 157499 ]
            Status Untriaged [ 10001 ] Open [ 1 ]
            jglick Jesse Glick made changes -
            Labels security
            jglick Jesse Glick made changes -
            Link This issue is related to JENKINS-30749 [ JENKINS-30749 ]
            jglick Jesse Glick made changes -
            Labels security 2.0 security
            kohsuke Kohsuke Kawaguchi made changes -
            Labels 2.0 security security
            rtyler R. Tyler Croy made changes -
            Workflow JNJira [ 157499 ] JNJira + In-Review [ 179555 ]
            jglick Jesse Glick made changes -
            Link This issue is duplicated by JENKINS-33555 [ JENKINS-33555 ]
            jglick Jesse Glick made changes -
            Link This issue is duplicated by SECURITY-480 [ SECURITY-480 ]
            jglick Jesse Glick made changes -
            Link This issue relates to JENKINS-22949 [ JENKINS-22949 ]
            danielbeck Daniel Beck made changes -
            Link This issue is related to JENKINS-46652 [ JENKINS-46652 ]
            oleg_nenashev Oleg Nenashev made changes -
            Assignee Oleg Nenashev [ oleg_nenashev ]
            jamesdumay James Dumay made changes -
            Remote Link This issue links to "CloudBees Internal OSS-2267 (Web Link)" [ 18367 ]
            jglick Jesse Glick made changes -
            Link This issue is duplicated by JENKINS-49861 [ JENKINS-49861 ]
            jglick Jesse Glick made changes -
            Labels security essentials security
            rtyler R. Tyler Croy made changes -
            Labels essentials security security
            oleg_nenashev Oleg Nenashev made changes -
            Assignee Oleg Nenashev [ oleg_nenashev ]
            oleg_nenashev Oleg Nenashev made changes -
            Labels security security user-experience
            jglick Jesse Glick made changes -
            Remote Link This issue links to "jenkins PR 3919 (Web Link)" [ 22436 ]
            jglick Jesse Glick made changes -
            Link This issue relates to JENKINS-56617 [ JENKINS-56617 ]

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              dfj David Jorm
              Votes:
              1 Vote for this issue
              Watchers:
              12 Start watching this issue

                Dates

                Created:
                Updated: