Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-31611

Unprivileged user may access plugin uninstall form

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Minor Minor
    • core
    • None

      Through forceful browsing, it is possible to reach the uninstall page for plugins, e.g. http://$JENKINS_URL/pluginManager/plugin/saml/uninstall

      Submitting the form results in an accessed denied exception. This form should not be reachable for normal users.

          [JENKINS-31611] Unprivileged user may access plugin uninstall form

          Daniel Beck added a comment -

          The real issue here appears to be that it's possible to enumerate installed plugins by trying to access their uninstall URLs.

          Daniel Beck added a comment - The real issue here appears to be that it's possible to enumerate installed plugins by trying to access their uninstall URLs.

          Daniel Beck added a comment -

          Actually there's no way around being able to determine whether a plugin is installed given how Stapler works. If you don't want people to be able to determine which plugins are installed, don't give them read access to your instance.

          Looking into preventing access to this URL.

          Daniel Beck added a comment - Actually there's no way around being able to determine whether a plugin is installed given how Stapler works. If you don't want people to be able to determine which plugins are installed, don't give them read access to your instance. Looking into preventing access to this URL.

          Daniel Beck added a comment -

          No security component as there's nothing a user can gain from accessing that URL.

          Still, preventing access to the URL would prevent scaring admins ("Look what I can do even though I'm not an admin!"), so it seems worth it to fix if the fix is simple.

          Daniel Beck added a comment - No security component as there's nothing a user can gain from accessing that URL. Still, preventing access to the URL would prevent scaring admins ("Look what I can do even though I'm not an admin!"), so it seems worth it to fix if the fix is simple.

          Code changed in jenkins
          User: Daniel Beck
          Path:
          core/src/main/resources/hudson/PluginWrapper/thirdPartyLicenses.jelly
          core/src/main/resources/hudson/PluginWrapper/uninstall.groovy
          http://jenkins-ci.org/commit/jenkins/023b2ad4188ad117bcddd9da78dde2ebcaa33872
          Log:
          [FIX JENKINS-31611] Restrict access to plugin pages

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Daniel Beck Path: core/src/main/resources/hudson/PluginWrapper/thirdPartyLicenses.jelly core/src/main/resources/hudson/PluginWrapper/uninstall.groovy http://jenkins-ci.org/commit/jenkins/023b2ad4188ad117bcddd9da78dde2ebcaa33872 Log: [FIX JENKINS-31611] Restrict access to plugin pages

          Code changed in jenkins
          User: Daniel Beck
          Path:
          core/src/main/resources/hudson/PluginWrapper/thirdPartyLicenses.jelly
          core/src/main/resources/hudson/PluginWrapper/uninstall.groovy
          http://jenkins-ci.org/commit/jenkins/c2525bf988ba699a5c9efa5b324c3ce132b0aadc
          Log:
          Merge pull request #2317 from daniel-beck/JENKINS-31611

          [FIX JENKINS-31611] Restrict access to plugin pages

          Compare: https://github.com/jenkinsci/jenkins/compare/c64804d8fa83...c2525bf988ba

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Daniel Beck Path: core/src/main/resources/hudson/PluginWrapper/thirdPartyLicenses.jelly core/src/main/resources/hudson/PluginWrapper/uninstall.groovy http://jenkins-ci.org/commit/jenkins/c2525bf988ba699a5c9efa5b324c3ce132b0aadc Log: Merge pull request #2317 from daniel-beck/ JENKINS-31611 [FIX JENKINS-31611] Restrict access to plugin pages Compare: https://github.com/jenkinsci/jenkins/compare/c64804d8fa83...c2525bf988ba

            danielbeck Daniel Beck
            jec Josh Cook
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: