[JENKINS-25031] Credentials metadata leak in ServerCredentialMapping

Type: Bug
Resolution: Fixed
Priority: Blocker
Component/s: config-file-provider-plugin
Labels:
- credentials
- security

Similar Issues:
Powered by SuggestiMate

Show

ServerCredentialMapping.DescriptorImpl.doFillCredentialsIdItems should probably start with

if (context == null || !context.hasPermission(Item.CONFIGURE)) {
    return new ListBoxModel();
}

lest it expose credentials IDs and descriptions to anonymous users.

This is assuming that context is actually expected to be non-null. Though if so, why is CredentialsHelper.findValidCredentials ignoring it? If there is no item context, check something, such as Jenkins.getInstance().hasPermission(Jenkins.ADMINISTER).

SCM/JIRA link daemon added a comment - 2015-07-23 15:47

Code changed in jenkins
User: imod
Path:
src/main/java/org/jenkinsci/plugins/configfiles/maven/security/ServerCredentialMapping.java
http://jenkins-ci.org/commit/config-file-provider-plugin/ca3c5a44bd45d0e850485fb9292be87b789281b0
Log:
[FIXED JENKINS-25031] don't leak ServerCredentialMapping

SCM/JIRA link daemon added a comment - 2015-07-23 15:47 Code changed in jenkins User: imod Path: src/main/java/org/jenkinsci/plugins/configfiles/maven/security/ServerCredentialMapping.java http://jenkins-ci.org/commit/config-file-provider-plugin/ca3c5a44bd45d0e850485fb9292be87b789281b0 Log: [FIXED JENKINS-25031] don't leak ServerCredentialMapping

Assignee:: Dominik Bartholdi

Reporter:: Jesse Glick

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Created:: 2014-10-07 21:22

Updated:: 2021-11-21 02:35

Resolved:: 2015-07-23 15:47

Jenkins

Details

Description

Attachments

Activity

Collapse comment: SCM/JIRA link daemon added a comment - 2015-07-23 15:47

Expand comment: SCM/JIRA link daemon added a comment - 2015-07-23 15:47

People

Dates