Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-25035

Credentials metadata leak in MqttNotifier

XMLWordPrintable

      MqttNotifier.DescriptorImpl.doFillCredentialsIdItems should take @AncestorInPath Item context to be used in place of Jenkins.getInstance(), and start with

      if (context == null || !context.hasPermission(Item.CONFIGURE)) {
    return new ListBoxModel();
}

      lest it expose credentials IDs and descriptions to anonymous users.

          [JENKINS-25035] Credentials metadata leak in MqttNotifier

          Jesse Glick created issue -
          Jesse Glick made changes -
          Link New: This issue is blocking SECURITY-158 [ SECURITY-158 ]
          Gareth Western made changes -
          Assignee New: Gareth Western [ gareth_western ]
          Gareth Western made changes -
          Status Original: Open [ 1 ] New: In Progress [ 3 ]
          Gareth Western made changes -
          Status Original: In Progress [ 3 ] New: Open [ 1 ]
          Gareth Western made changes -
          Status Original: Open [ 1 ] New: In Progress [ 3 ]
          Gareth Western made changes -
          Resolution New: Fixed [ 1 ]
          Status Original: In Progress [ 3 ] New: Resolved [ 5 ]
          R. Tyler Croy made changes -
          Workflow Original: JNJira [ 158935 ] New: JNJira + In-Review [ 195932 ]
          Gareth Western made changes -
          Status Original: Resolved [ 5 ] New: Closed [ 6 ]

            gareth_western Gareth Western
            jglick Jesse Glick
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: