[JENKINS-31613] Username is displayed in RESTful URL

Type: Bug
Resolution: Not A Defect
Priority: Minor
Component/s: _unsorted
Labels:
- rest
- security
- username
Environment:

Hide
Operating System
-bash-4.1$ cat /etc/oracle-release && uname -a
Oracle Linux Server release 6.5
Linux dsdsesvcai101v 3.8.13-68.2.2.el6uek.x86_64 #2 SMP Tue May 12 15:10:51 PDT 2015 x86_64 x86_64 x86_64 GNU/Linux

Java
-bash-4.1$ /etc/alternatives/java -version
java version "1.8.0_40"
Java(TM) SE Runtime Environment (build 1.8.0_40-b26)
Java HotSpot(TM) 64-Bit Server VM (build 25.40-b25, mixed mode)

Jenkins & Plugins
System Properties

Name ↓
Value
awt.toolkit sun.awt.X11.XToolkit
executable-war /usr/lib/jenkins/jenkins.war
file.encoding UTF-8
file.encoding.pkg sun.io
file.separator /
hudson.diyChunking true
hudson.DNSMultiCast.disabled true
java.awt.graphicsenv sun.awt.X11GraphicsEnvironment
java.awt.headless true
java.awt.printerjob sun.print.PSPrinterJob
java.class.path /usr/lib/jenkins/jenkins.war
java.class.version 52.0
java.endorsed.dirs /usr/java/jdk1.8.0_40/jre/lib/endorsed
java.ext.dirs /usr/java/jdk1.8.0_40/jre/lib/ext:/usr/java/packages/lib/ext
java.home /usr/java/jdk1.8.0_40/jre
java.io.tmpdir /tmp
java.library.path /usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib
java.runtime.name Java(TM) SE Runtime Environment
java.runtime.version 1.8.0_40-b26
java.specification.name Java Platform API Specification
java.specification.vendor Oracle Corporation
java.specification.version 1.8
java.vendor Oracle Corporation
java.vendor.url http://java.oracle.com/
java.vendor.url.bug http://bugreport.sun.com/bugreport/
java.version 1.8.0_40
java.vm.info mixed mode
java.vm.name Java HotSpot(TM) 64-Bit Server VM
java.vm.specification.name Java Virtual Machine Specification
java.vm.specification.vendor Oracle Corporation
java.vm.specification.version 1.8
java.vm.vendor Oracle Corporation
java.vm.version 25.40-b25
JENKINS_HOME /apps/jenkins
jna.platform.library.path /usr/lib64:/lib64:/usr/lib:/lib
jnidispatch.path /tmp/jna--1712433994/jna6000391753915357396.tmp
line.separator
mail.smtp.sendpartial true
mail.smtps.sendpartial true
os.arch amd64
os.name Linux
os.version 3.8.13-68.2.2.el6uek.x86_64
path.separator :
sun.arch.data.model 64
sun.boot.class.path /usr/java/jdk1.8.0_40/jre/lib/resources.jar:/usr/java/jdk1.8.0_40/jre/lib/rt.jar:/usr/java/jdk1.8.0_40/jre/lib/sunrsasign.jar:/usr/java/jdk1.8.0_40/jre/lib/jsse.jar:/usr/java/jdk1.8.0_40/jre/lib/jce.jar:/usr/java/jdk1.8.0_40/jre/lib/charsets.jar:/usr/java/jdk1.8.0_40/jre/lib/jfr.jar:/usr/java/jdk1.8.0_40/jre/classes
sun.boot.library.path /usr/java/jdk1.8.0_40/jre/lib/amd64
sun.cpu.endian little
sun.cpu.isalist
sun.font.fontmanager sun.awt.X11FontManager
sun.io.unicode.encoding UnicodeLittle
sun.java.command /usr/lib/jenkins/jenkins.war --logfile=/var/log/jenkins/jenkins.log --webroot=/var/cache/jenkins/war --httpPort=8080 --ajp13Port=8009 --debug=5 --handlerCountMax=100 --handlerCountMaxIdle=20
sun.java.launcher SUN_STANDARD
sun.jnu.encoding UTF-8
sun.management.compiler HotSpot 64-Bit Tiered Compilers
sun.os.patch.level unknown
user.country US
user.dir /
user.home /var/lib/jenkins
user.language en
user.name jenkins
user.timezone America/Chicago
Environment Variables

Name ↓
Value
_ /etc/alternatives/java
HOME /var/lib/jenkins
LANG en_US.UTF-8
LOGNAME jenkins
NLSPATH /usr/dt/lib/nls/msg/%L/%N.cat
PATH /sbin:/usr/sbin:/bin:/usr/bin
PWD /
SHELL /bin/bash
SHLVL 2
TERM xterm-256color
USER jenkins
XFILESEARCHPATH /usr/dt/app-defaults/%L/Dt
Plugins

Name ↓
Version
Enabled
Pinned
ant 1.2 true false
antisamy-markup-formatter 1.3 true true
cloudbees-folder 4.10 true false
credentials 1.24 true true
credentials-binding 1.6 true false
cvs 2.12 false true
external-monitor-job 1.4 true false
git 2.4.0 true false
git-client 1.19.0 true false
javadoc 1.3 true true
junit 1.9 true true
ldap 1.11 true false
mailer 1.15 true true
matrix-auth 1.2 true true
matrix-project 1.6 true true
maven-plugin 2.12.1 true true
metrics 3.1.2 true false
pam-auth 1.2 true true
plain-credentials 1.1 true false
reverse-proxy-auth-plugin 1.4.0 true false
saml 0.4 false false
scm-api 0.2 true false
script-security 1.15 true true
shiningpanda 0.22 true false
ssh-agent 1.8 true false
ssh-credentials 1.11 true true
ssh-slaves 1.10 true true
suppress-stack-trace 1.4 true false
translation 1.12 false true
windows-slaves 1.1 false true
workflow-step-api 1.10.1 true false

Jenkins running directly (no container)

Jenkins accessed via reverse proxy
Access Control: HTTP Header by reverse proxy

Show
Operating System -bash-4.1$ cat /etc/oracle-release && uname -a Oracle Linux Server release 6.5 Linux dsdsesvcai101v 3.8.13-68.2.2.el6uek.x86_64 #2 SMP Tue May 12 15:10:51 PDT 2015 x86_64 x86_64 x86_64 GNU/Linux Java -bash-4.1$ /etc/alternatives/java -version java version "1.8.0_40" Java(TM) SE Runtime Environment (build 1.8.0_40-b26) Java HotSpot(TM) 64-Bit Server VM (build 25.40-b25, mixed mode) Jenkins & Plugins System Properties Name ↓ Value awt.toolkit sun.awt.X11.XToolkit executable-war /usr/lib/jenkins/jenkins.war file.encoding UTF-8 file.encoding.pkg sun.io file.separator / hudson.diyChunking true hudson.DNSMultiCast.disabled true java.awt.graphicsenv sun.awt.X11GraphicsEnvironment java.awt.headless true java.awt.printerjob sun.print.PSPrinterJob java.class.path /usr/lib/jenkins/jenkins.war java.class.version 52.0 java.endorsed.dirs /usr/java/jdk1.8.0_40/jre/lib/endorsed java.ext.dirs /usr/java/jdk1.8.0_40/jre/lib/ext:/usr/java/packages/lib/ext java.home /usr/java/jdk1.8.0_40/jre java.io.tmpdir /tmp java.library.path /usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib java.runtime.name Java(TM) SE Runtime Environment java.runtime.version 1.8.0_40-b26 java.specification.name Java Platform API Specification java.specification.vendor Oracle Corporation java.specification.version 1.8 java.vendor Oracle Corporation java.vendor.url http://java.oracle.com/ java.vendor.url.bug http://bugreport.sun.com/bugreport/ java.version 1.8.0_40 java.vm.info mixed mode java.vm.name Java HotSpot(TM) 64-Bit Server VM java.vm.specification.name Java Virtual Machine Specification java.vm.specification.vendor Oracle Corporation java.vm.specification.version 1.8 java.vm.vendor Oracle Corporation java.vm.version 25.40-b25 JENKINS_HOME /apps/jenkins jna.platform.library.path /usr/lib64:/lib64:/usr/lib:/lib jnidispatch.path /tmp/jna--1712433994/jna6000391753915357396.tmp line.separator mail.smtp.sendpartial true mail.smtps.sendpartial true os.arch amd64 os.name Linux os.version 3.8.13-68.2.2.el6uek.x86_64 path.separator : sun.arch.data.model 64 sun.boot.class.path /usr/java/jdk1.8.0_40/jre/lib/resources.jar:/usr/java/jdk1.8.0_40/jre/lib/rt.jar:/usr/java/jdk1.8.0_40/jre/lib/sunrsasign.jar:/usr/java/jdk1.8.0_40/jre/lib/jsse.jar:/usr/java/jdk1.8.0_40/jre/lib/jce.jar:/usr/java/jdk1.8.0_40/jre/lib/charsets.jar:/usr/java/jdk1.8.0_40/jre/lib/jfr.jar:/usr/java/jdk1.8.0_40/jre/classes sun.boot.library.path /usr/java/jdk1.8.0_40/jre/lib/amd64 sun.cpu.endian little sun.cpu.isalist sun.font.fontmanager sun.awt.X11FontManager sun.io.unicode.encoding UnicodeLittle sun.java.command /usr/lib/jenkins/jenkins.war --logfile=/var/log/jenkins/jenkins.log --webroot=/var/cache/jenkins/war --httpPort=8080 --ajp13Port=8009 --debug=5 --handlerCountMax=100 --handlerCountMaxIdle=20 sun.java.launcher SUN_STANDARD sun.jnu.encoding UTF-8 sun.management.compiler HotSpot 64-Bit Tiered Compilers sun.os.patch.level unknown user.country US user.dir / user.home /var/lib/jenkins user.language en user.name jenkins user.timezone America/Chicago Environment Variables Name ↓ Value _ /etc/alternatives/java HOME /var/lib/jenkins LANG en_US.UTF-8 LOGNAME jenkins NLSPATH /usr/dt/lib/nls/msg/%L/%N.cat PATH /sbin:/usr/sbin:/bin:/usr/bin PWD / SHELL /bin/bash SHLVL 2 TERM xterm-256color USER jenkins XFILESEARCHPATH /usr/dt/app-defaults/%L/Dt Plugins Name ↓ Version Enabled Pinned ant 1.2 true false antisamy-markup-formatter 1.3 true true cloudbees-folder 4.10 true false credentials 1.24 true true credentials-binding 1.6 true false cvs 2.12 false true external-monitor-job 1.4 true false git 2.4.0 true false git-client 1.19.0 true false javadoc 1.3 true true junit 1.9 true true ldap 1.11 true false mailer 1.15 true true matrix-auth 1.2 true true matrix-project 1.6 true true maven-plugin 2.12.1 true true metrics 3.1.2 true false pam-auth 1.2 true true plain-credentials 1.1 true false reverse-proxy-auth-plugin 1.4.0 true false saml 0.4 false false scm-api 0.2 true false script-security 1.15 true true shiningpanda 0.22 true false ssh-agent 1.8 true false ssh-credentials 1.11 true true ssh-slaves 1.10 true true suppress-stack-trace 1.4 true false translation 1.12 false true windows-slaves 1.1 false true workflow-step-api 1.10.1 true false Jenkins running directly (no container) Jenkins accessed via reverse proxy Access Control: HTTP Header by reverse proxy

Similar Issues:
Powered by SuggestiMate

Show

When accessing various RESTful resources in Jenkins, e.g. <https://$JENKINS_URL/user/$USERNAME/my-views/view/All/>, the username is used as a REST parameter. This causes the username to be leaked in the URL. URLs can be stored in server logs, caching proxies, and browsers, thus exposing the username to others. The username could then be used in a password guessing, brute-force, or social engineering attack.

The username should not be used as a REST parameter. The username should only be submitted via POST requests or an alternate identifier should be used in the URL.

Josh Cook created issue - 2015-11-17 20:56

Daniel Beck made changes - 2016-03-22 16:47

Resolution		New: Not A Defect [ 7 ]
Status	Original: Open [ 1 ]	New: Resolved [ 5 ]

R. Tyler Croy made changes - 2016-07-25 23:57

Workflow

Original: JNJira [ 167045 ]

New: JNJira + In-Review [ 198102 ]

Jenkins IRC Bot made changes - 2017-04-15 23:15

Component/s		New: _unsorted [ 19622 ]
Component/s	Original: security [ 15508 ]

Assignee:: Unassigned

Reporter:: Josh Cook

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Created:: 2015-11-17 20:56

Updated:: 2017-04-15 23:15

Resolved:: 2016-03-22 16:47

Jenkins

Details

Description

Attachments

Activity

People

Dates