Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-31611

Unprivileged user may access plugin uninstall form

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Minor Minor
    • core
    • None

      Through forceful browsing, it is possible to reach the uninstall page for plugins, e.g. http://$JENKINS_URL/pluginManager/plugin/saml/uninstall

      Submitting the form results in an accessed denied exception. This form should not be reachable for normal users.

          [JENKINS-31611] Unprivileged user may access plugin uninstall form

          Josh Cook created issue -
          Josh Cook made changes -
          Labels Original: plugins security New: authorization plugins security

          Daniel Beck added a comment -

          The real issue here appears to be that it's possible to enumerate installed plugins by trying to access their uninstall URLs.

          Daniel Beck added a comment - The real issue here appears to be that it's possible to enumerate installed plugins by trying to access their uninstall URLs.

          Daniel Beck added a comment -

          Actually there's no way around being able to determine whether a plugin is installed given how Stapler works. If you don't want people to be able to determine which plugins are installed, don't give them read access to your instance.

          Looking into preventing access to this URL.

          Daniel Beck added a comment - Actually there's no way around being able to determine whether a plugin is installed given how Stapler works. If you don't want people to be able to determine which plugins are installed, don't give them read access to your instance. Looking into preventing access to this URL.
          Daniel Beck made changes -
          Assignee New: Daniel Beck [ danielbeck ]
          Daniel Beck made changes -
          Labels Original: authorization plugins security
          Daniel Beck made changes -
          Component/s New: core [ 15593 ]
          Component/s Original: security [ 15508 ]

          Daniel Beck added a comment -

          No security component as there's nothing a user can gain from accessing that URL.

          Still, preventing access to the URL would prevent scaring admins ("Look what I can do even though I'm not an admin!"), so it seems worth it to fix if the fix is simple.

          Daniel Beck added a comment - No security component as there's nothing a user can gain from accessing that URL. Still, preventing access to the URL would prevent scaring admins ("Look what I can do even though I'm not an admin!"), so it seems worth it to fix if the fix is simple.
          Daniel Beck made changes -
          Status Original: Open [ 1 ] New: In Progress [ 3 ]
          Daniel Beck made changes -
          Remote Link New: This issue links to "PR 2317 (Web Link)" [ 14272 ]

            danielbeck Daniel Beck
            jec Josh Cook
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: