[JENKINS-53287] [zephyr-for-jira-test-management] - ZephyrforJiraPlugin: Security risk when the job is misconfigured - Jenkins Jira

Type: Bug
Resolution: Unresolved
Priority: Blocker
Component/s: zephyr-for-jira-test-management-plugin
Labels:
None

Similar Issues:
Powered by SuggestiMate

Show

Currently Zephyr for JIRA plugin allows us to configure credentials in global configuration in Jenkins.

If we want to push our Junit style results into JIRA, we need to enter the below details in Jenkins Job under publish test results to Zephyr as post build activities .

JIRA URL
Project Name
Version
Cycle
Cycle Duation
Cycle Prefix

We are able to push the results, However other Jenkins user who is not associated to any JIRA project can use this "publish test results to Zephyr as post build activities" and push the results with the configured credentials,.This poses an risk where issues being created if published to the wrong project/if the Jenkins job is misconfigured?

Manjunath Bhimareddy created issue - 2017-10-06 12:08

Oleg Nenashev made changes - 2018-08-28 08:51

Component/s		New: specific-plugin [ 17329 ]
Component/s	Original: zephyr-for-jira-test-management-plugin [ 20824 ]
Key	Original: JENKINS-47314	New: SECURITY-1145
Workflow	Original: JNJira + In-Review [ 223048 ]	New: Security v1.2 [ 230759 ]
Issue Type	Original: Bug [ 1 ]	New: Security Vulnerability [ 10103 ]
Project	Original: Jenkins [ 10172 ]	New: Security Issues [ 10180 ]

Oleg Nenashev made changes - 2018-08-28 08:51

Summary

Original: ZephyrforJiraPlugin: Security issue

New: [zephyr-for-jira-test-management] - ZephyrforJiraPlugin: Security issue

Oleg Nenashev added a comment - 2018-08-28 08:51

Moved the issue to the security bugtracker. It was open for 10 months in public, without response from maintainers

Oleg Nenashev added a comment - 2018-08-28 08:51 Moved the issue to the security bugtracker. It was open for 10 months in public, without response from maintainers

Oleg Nenashev made changes - 2018-08-28 08:51

Labels

New: prematurely-disclosed

Daniel Beck added a comment - 2018-08-28 12:19

oleg_nenashev This is not a security vulnerability, please move it back.

Daniel Beck added a comment - 2018-08-28 12:19 oleg_nenashev This is not a security vulnerability, please move it back.

Oleg Nenashev made changes - 2018-08-28 12:23

Component/s		New: zephyr-for-jira-test-management-plugin [ 20824 ]
Component/s	Original: specific-plugin [ 17329 ]
Key	Original: SECURITY-1145	New: JENKINS-53287
Workflow	Original: Security v1.2 [ 230759 ]	New: JNJira + In-Review [ 230773 ]
Issue Type	Original: Security Vulnerability [ 10103 ]	New: Bug [ 1 ]
Project	Original: Security Issues [ 10180 ]	New: Jenkins [ 10172 ]

Oleg Nenashev made changes - 2018-08-28 12:23

Labels

Original: prematurely-disclosed

Oleg Nenashev added a comment - 2018-08-28 12:23

Oleg Nenashev added a comment - 2018-08-28 12:23 ok

Oleg Nenashev made changes - 2018-08-28 12:36

Summary

Original: [zephyr-for-jira-test-management] - ZephyrforJiraPlugin: Security issue

New: [zephyr-for-jira-test-management] - ZephyrforJiraPlugin: Security risk when the job is misconfigured

Assignee:: Zephyr Developer

Reporter:: Manjunath Bhimareddy

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Created:: 2017-10-06 12:08

Updated:: 2020-04-20 20:08

Jenkins

Details

Description

Attachments

Activity

[JENKINS-53287] [zephyr-for-jira-test-management] - ZephyrforJiraPlugin: Security risk when the job is misconfigured

Collapse comment: Oleg Nenashev added a comment - 2018-08-28 08:51

Expand comment: Oleg Nenashev added a comment - 2018-08-28 08:51

Collapse comment: Daniel Beck added a comment - 2018-08-28 12:19

Expand comment: Daniel Beck added a comment - 2018-08-28 12:19

Collapse comment: Oleg Nenashev added a comment - 2018-08-28 12:23

Expand comment: Oleg Nenashev added a comment - 2018-08-28 12:23

People

Dates