Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-25035

Credentials metadata leak in MqttNotifier

XMLWordPrintable

      MqttNotifier.DescriptorImpl.doFillCredentialsIdItems should take @AncestorInPath Item context to be used in place of Jenkins.getInstance(), and start with

      if (context == null || !context.hasPermission(Item.CONFIGURE)) {
    return new ListBoxModel();
}

      lest it expose credentials IDs and descriptions to anonymous users.

          [JENKINS-25035] Credentials metadata leak in MqttNotifier

          Jesse Glick created issue -
          Jesse Glick made changes -
          Link New: This issue is blocking SECURITY-158 [ SECURITY-158 ]
          Gareth Western made changes -
          Assignee New: Gareth Western [ gareth_western ]

          Gareth Western added a comment - - edited

          Thanks for the bug report! I'll try to get this patched and published sometime this week.

          Gareth Western added a comment - - edited Thanks for the bug report! I'll try to get this patched and published sometime this week.
          Gareth Western made changes -
          Status Original: Open [ 1 ] New: In Progress [ 3 ]
          Gareth Western made changes -
          Status Original: In Progress [ 3 ] New: Open [ 1 ]
          Gareth Western made changes -
          Status Original: Open [ 1 ] New: In Progress [ 3 ]

          Gareth Western added a comment -

          To be released in 1.3

          Gareth Western added a comment - To be released in 1.3
          Gareth Western made changes -
          Resolution New: Fixed [ 1 ]
          Status Original: In Progress [ 3 ] New: Resolved [ 5 ]

          SCM/JIRA link daemon added a comment -

          Code changed in jenkins
          User: Gareth Western
          Path:
          src/main/java/jenkins/plugins/mqttnotification/MqttNotifier.java
          http://jenkins-ci.org/commit/mqtt-notification-plugin/7d945beb5380bcbaa6407e67c0e7fdfe44c1ae7f
          Log:
          JENKINS-25035 Guard against credentials leak

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Gareth Western Path: src/main/java/jenkins/plugins/mqttnotification/MqttNotifier.java http://jenkins-ci.org/commit/mqtt-notification-plugin/7d945beb5380bcbaa6407e67c0e7fdfe44c1ae7f Log: JENKINS-25035 Guard against credentials leak

            gareth_western Gareth Western
            jglick Jesse Glick
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: