Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-44244

Any user can add Scriptler script build steps to job configurations

    XMLWordPrintable

Details

    Description

       

      SECURITY-365
      Scriptler plugin lets users with Overall/Run Scripts or Overall/Administer permission add Scriptler script executions to job configurations. Users without these permissions are not supposed to be able to add this build step to jobs.
      The protection mechanism used only affects submission of job configuration forms through the UI and can be circumvented e.g. by sending POST config.xml requests.

      Attachments

        Activity

          ehbbt E H added a comment -

          What is needed to resolve this vulnerability?  If it isn't an easy fix, can some functionality be removed or limited to get around the problem?

          ehbbt E H added a comment - What is needed to resolve this vulnerability?  If it isn't an easy fix, can some functionality be removed or limited to get around the problem?

          People

            imod Dominik Bartholdi
            imod Dominik Bartholdi
            Votes:
            1 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated: