Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-35967

Hardening: Jenkins should not allow creating users like " system " or "anonymous "

    • Icon: Improvement Improvement
    • Resolution: Fixed
    • Icon: Minor Minor
    • core
    • None

      Got into case during the fix of JENKINS-33600. I do not see any exploits in the code, but seems SECURITY-166 by campbellr was not enough aggressive in String checking.

      This code allows non-trimmed restricted usernames, hence I was able to create the " anonymous " account with "Anonymous " full name. The same can be done for SYSTEM as well. UIs do not present such trailing spaces, hence UI looks to be "fine"

      I have not obvious exploits in the code, but this logic gap may be a security issue if a plugin does not work with user IDs with spaces.

      Is it a security issue or should we handle it as a common bug?

          [JENKINS-35967] Hardening: Jenkins should not allow creating users like " system " or "anonymous "

          Oleg Nenashev created issue -
          Oleg Nenashev made changes -
          Summary Original: Jenkins allows creating users like " system " or "anonymous" New: Jenkins allows creating users like " system " or "anonymous "

          Daniel Beck added a comment -

          It's not clear to me how this would be exploitable to result in a loss of confidentiality, integrity, or availability.

          Basically, it looks like https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:N

          It confuses users, and that's about it.

          Daniel Beck added a comment - It's not clear to me how this would be exploitable to result in a loss of confidentiality, integrity, or availability. Basically, it looks like https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:N It confuses users, and that's about it.

          Oleg Nenashev added a comment -

          "Yes" if all plugins handle spaces correctly (Inclusing security realms, etc.).
          For me NO_ISSUE is fine, so I'm ready convert it to a common issue

          Oleg Nenashev added a comment - "Yes" if all plugins handle spaces correctly (Inclusing security realms, etc.). For me NO_ISSUE is fine, so I'm ready convert it to a common issue

          Daniel Beck added a comment -

          I can understand the problem with people doing a String#equals and that resulting in problems for real names (e.g. "SYSTEM"), but to also include trimming? Possibly equalsIgnoreCase?

          Does anyone else see a potential vulnerability here?

          Daniel Beck added a comment - I can understand the problem with people doing a String#equals and that resulting in problems for real names (e.g. "SYSTEM"), but to also include trimming? Possibly equalsIgnoreCase? Does anyone else see a potential vulnerability here?
          Jesse Glick made changes -
          Link New: This issue is related to SECURITY-166 [ SECURITY-166 ]

          Jesse Glick added a comment -

          Not that I can see.

          Jesse Glick added a comment - Not that I can see.

          Oleg Nenashev added a comment -

          Moving to JENKINS then

          Oleg Nenashev added a comment - Moving to JENKINS then
          Oleg Nenashev made changes -
          Component/s New: core [ 15593 ]
          Component/s Original: core [ 15738 ]
          Key Original: SECURITY-312 New: JENKINS-35967
          Workflow Original: Security v1.2 [ 171993 ] New: JNJira [ 172595 ]
          Project Original: Security Issues [ 10180 ] New: Jenkins [ 10172 ]
          Status Original: Untriaged [ 10001 ] New: Open [ 1 ]
          Oleg Nenashev made changes -
          Assignee New: Oleg Nenashev [ oleg_nenashev ]

            oleg_nenashev Oleg Nenashev
            oleg_nenashev Oleg Nenashev
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: