Details
-
Bug
-
Status: Closed (View Workflow)
-
Major
-
Resolution: Fixed
-
Credentials plugin version 1.18 on Jenkins 1.580.3 on ubuntu 14.04 LTS
Description
The credentials.xml file holds a plaintext copy of the credentials stored via Jenkins. On a fresh install of Jenkins, this file has world readable permissions by default:
$ ls -l /var/lib/jenkins/credentials.xml
rw-rr- 1 jenkins jenkins 2863 Feb 12 19:00 /var/lib/jenkins/credentials.xml
It should have at least group readable permissions only.
Attachments
Activity
William Hutson
created issue -
William Hutson
made changes -
| Field | Original Value | New Value |
|---|---|---|
| Component/s | ssh-credentials-plugin [ 17424 ] |
William Hutson
made changes -
| Environment | Credentials plugin version 1.22 on Jenkins 1.580.3 on ubuntu 14.04 LTS | Credentials plugin version 1.18 on Jenkins 1.580.3 on ubuntu 14.04 LTS |
| Labels | security |
| Component/s | credentials-plugin [ 16523 ] |
| Resolution | Fixed [ 1 ] | |
| Status | Open [ 1 ] | Resolved [ 5 ] |
| Summary | credentials.xml file permission too permissive | BasicSSHUserPrivateKey.DirectEntryPrivateKeySource.privateKey stored in plaintext |
| Status | Resolved [ 5 ] | Closed [ 6 ] |
| Workflow | JNJira [ 161128 ] | JNJira + In-Review [ 208440 ] |