-
Improvement
-
Resolution: Fixed
-
Minor
-
None
Got into case during the fix of JENKINS-33600. I do not see any exploits in the code, but seems SECURITY-166 by campbellr was not enough aggressive in String checking.
This code allows non-trimmed restricted usernames, hence I was able to create the " anonymous " account with "Anonymous " full name. The same can be done for SYSTEM as well. UIs do not present such trailing spaces, hence UI looks to be "fine"
I have not obvious exploits in the code, but this logic gap may be a security issue if a plugin does not work with user IDs with spaces.
Is it a security issue or should we handle it as a common bug?
- is related to
-
JENKINS-39009 User#isIdOrFullnameAllowed() should disallow system names with special symbols
-
- Open
-
It's not clear to me how this would be exploitable to result in a loss of confidentiality, integrity, or availability.
Basically, it looks like https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:N
It confuses users, and that's about it.