[JENKINS-25031] Credentials metadata leak in ServerCredentialMapping

Type: Bug
Resolution: Fixed
Priority: Blocker
Component/s: config-file-provider-plugin
Labels:
- credentials
- security

Similar Issues:
Powered by SuggestiMate

Show

ServerCredentialMapping.DescriptorImpl.doFillCredentialsIdItems should probably start with

if (context == null || !context.hasPermission(Item.CONFIGURE)) {
    return new ListBoxModel();
}

lest it expose credentials IDs and descriptions to anonymous users.

This is assuming that context is actually expected to be non-null. Though if so, why is CredentialsHelper.findValidCredentials ignoring it? If there is no item context, check something, such as Jenkins.getInstance().hasPermission(Jenkins.ADMINISTER).

Jesse Glick created issue - 2014-10-07 21:22

Jesse Glick made changes - 2014-10-07 21:30

Link

New: This issue is blocking SECURITY-158 [ SECURITY-158 ]

SCM/JIRA link daemon made changes - 2015-07-23 15:47

Resolution		New: Fixed [ 1 ]
Status	Original: Open [ 1 ]	New: Resolved [ 5 ]

R. Tyler Croy made changes - 2016-07-25 23:56

Workflow

Original: JNJira [ 158931 ]

New: JNJira + In-Review [ 195931 ]

Mark Waite made changes - 2021-11-21 02:35

Status

Original: Resolved [ 5 ]

New: Closed [ 6 ]

Assignee:: Dominik Bartholdi

Reporter:: Jesse Glick

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Created:: 2014-10-07 21:22

Updated:: 2021-11-21 02:35

Resolved:: 2015-07-23 15:47

Jenkins

Details

Description

Attachments

Activity

People

Dates