[JENKINS-25031] Credentials metadata leak in ServerCredentialMapping

Type: Bug
Resolution: Fixed
Priority: Blocker
Component/s: config-file-provider-plugin
Labels:
- credentials
- security

Similar Issues:
Powered by SuggestiMate

Show

ServerCredentialMapping.DescriptorImpl.doFillCredentialsIdItems should probably start with

if (context == null || !context.hasPermission(Item.CONFIGURE)) {
    return new ListBoxModel();
}

lest it expose credentials IDs and descriptions to anonymous users.

This is assuming that context is actually expected to be non-null. Though if so, why is CredentialsHelper.findValidCredentials ignoring it? If there is no item context, check something, such as Jenkins.getInstance().hasPermission(Jenkins.ADMINISTER).

Assignee:: Dominik Bartholdi

Reporter:: Jesse Glick

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Created:: 2014-10-07 21:22

Updated:: 2021-11-21 02:35

Resolved:: 2015-07-23 15:47

Jenkins

Details

Description

Attachments

Activity

People

Dates