Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-25032

Credentials metadata leak in GraniteCredentialsListBoxModel

XMLWordPrintable

      GraniteCredentialsListBoxModel.fillItems should probably start with

      if (context == null || !context.hasPermission(Item.CONFIGURE)) {
    return new ListBoxModel();
}

      lest it expose credentials IDs and descriptions to anonymous users.

      This is assuming that there is a context passed in from callers, typically as @AncestorInPath.

          [JENKINS-25032] Credentials metadata leak in GraniteCredentialsListBoxModel

          Jesse Glick created issue -
          Jesse Glick made changes -
          Link New: This issue is blocking SECURITY-158 [ SECURITY-158 ]
          R. Tyler Croy made changes -
          Workflow Original: JNJira [ 158932 ] New: JNJira + In-Review [ 179796 ]

            Unassigned Unassigned
            jglick Jesse Glick
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated: