Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-26943

BasicSSHUserPrivateKey.DirectEntryPrivateKeySource.privateKey stored in plaintext

    XMLWordPrintable

Details

    Description

      The credentials.xml file holds a plaintext copy of the credentials stored via Jenkins. On a fresh install of Jenkins, this file has world readable permissions by default:

      $ ls -l /var/lib/jenkins/credentials.xml
      rw-rr- 1 jenkins jenkins 2863 Feb 12 19:00 /var/lib/jenkins/credentials.xml

      It should have at least group readable permissions only.

      Attachments

        Activity

          wilrnh William Hutson created issue -
          wilrnh William Hutson made changes -
          Field Original Value New Value
          Component/s ssh-credentials-plugin [ 17424 ]
          wilrnh William Hutson made changes -
          Environment Credentials plugin version 1.22 on Jenkins 1.580.3 on ubuntu 14.04 LTS Credentials plugin version 1.18 on Jenkins 1.580.3 on ubuntu 14.04 LTS
          jglick Jesse Glick made changes -
          Labels security
          jglick Jesse Glick made changes -
          Component/s credentials-plugin [ 16523 ]
          jglick Jesse Glick made changes -
          Resolution Fixed [ 1 ]
          Status Open [ 1 ] Resolved [ 5 ]
          jglick Jesse Glick made changes -
          Summary credentials.xml file permission too permissive BasicSSHUserPrivateKey.DirectEntryPrivateKeySource.privateKey stored in plaintext
          stephenconnolly Stephen Connolly made changes -
          Status Resolved [ 5 ] Closed [ 6 ]
          rtyler R. Tyler Croy made changes -
          Workflow JNJira [ 161128 ] JNJira + In-Review [ 208440 ]

          People

            stephenconnolly Stephen Connolly
            wilrnh William Hutson
            Votes:
            2 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: