-
Bug
-
Resolution: Fixed
-
Critical
It seems that when you save a Jenkins job with HipChat plugin installed it copies the Global configuration settings into the job XML file. Anybody who can view job configuration or job configuration history can see the sensitive HipChat server and token information. This is a security issue and also a pain to update if you need to re-save 30+ jenkins jobs.
[JENKINS-26845] Security: HipChat Plugin can leak global hipchat server host name and token
Kurt Madel
added a comment - I don't understand why this still isn't a security risk. First, the token is managed via a regular text field, second - regardless if it is stored at the global config or job level, it is still stored as plain text. This needs to be managed like a password or you should look at integrating with the credentials plugin and use a credential ID that points to a secret text credential.
Kurt Madel
added a comment - I don't understand why this still isn't a security risk. First, the token is managed via a regular text field, second - regardless if it is stored at the global config or job level, it is still stored as plain text. This needs to be managed like a password or you should look at integrating with the credentials plugin and use a credential ID that points to a secret text credential. 
aldaris
added a comment - kmadel I believe you are looking for JENKINS-27303 . 
This is now resolved in 0.1.9-SNAPSHOT. With the addition of the v2 API support, now it is possible to define auth tokens on the job level or just simply inherit them from the global settings (without duplicating the setting in the project configuration).