Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-31613

Username is displayed in RESTful URL

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Minor
    • Resolution: Not A Defect
    • Component/s: _unsorted
    • Environment:
    • Similar Issues:

      Description

      When accessing various RESTful resources in Jenkins, e.g. <https://$JENKINS_URL/user/$USERNAME/my-views/view/All/>, the username is used as a REST parameter. This causes the username to be leaked in the URL. URLs can be stored in server logs, caching proxies, and browsers, thus exposing the username to others. The username could then be used in a password guessing, brute-force, or social engineering attack.

      The username should not be used as a REST parameter. The username should only be submitted via POST requests or an alternate identifier should be used in the URL.

        Attachments

          Activity

          Hide
          danielbeck Daniel Beck added a comment -

          We don't consider user names in Jenkins to be sensitive information. Those are shown in build causes, users are enumerated on /asynchPeople, they are referenced in changelogs, etc.

          Show
          danielbeck Daniel Beck added a comment - We don't consider user names in Jenkins to be sensitive information. Those are shown in build causes, users are enumerated on /asynchPeople, they are referenced in changelogs, etc.

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            jec Josh Cook
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: