Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-41516

Groovy script console actions should be logged

    XMLWordPrintable

Details

    • Improvement
    • Resolution: Fixed
    • Major
    • core
    • 2.427

    Description

      The Groovy script console (/script) does not log actions to the Jenkins log. The actions do not appear to be logged to the system anywhere. This allows an attacker or inside actor to perform actions against a Jenkins server via Groovy script console with no trail of what was done. In our case we had a misconfigured test Jenkins server which allowed open access to /script. Someone injected a bitcoin mining script via the Groovy script console which we found as a running process on the system. There was no log of this event in Jenkins. Now the misconfiguration of our test server was a big mistake but not having logs as a way to audit the specific actions that were performed is a big mistake on the part of Jenkins core which can amplify a user's mistake.

      Attachments

        Issue Links

          Activity

            People

              danielbeck Daniel Beck
              fromonesrc Adam Ochonicki
              Votes:
              1 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: