[JENKINS-53287] [zephyr-for-jira-test-management] - ZephyrforJiraPlugin: Security risk when the job is misconfigured - Jenkins Jira

Type: Bug
Resolution: Unresolved
Priority: Blocker
Component/s: zephyr-for-jira-test-management-plugin
Labels:
None

Similar Issues:
Powered by SuggestiMate

Show

Currently Zephyr for JIRA plugin allows us to configure credentials in global configuration in Jenkins.

If we want to push our Junit style results into JIRA, we need to enter the below details in Jenkins Job under publish test results to Zephyr as post build activities .

JIRA URL
Project Name
Version
Cycle
Cycle Duation
Cycle Prefix

We are able to push the results, However other Jenkins user who is not associated to any JIRA project can use this "publish test results to Zephyr as post build activities" and push the results with the configured credentials,.This poses an risk where issues being created if published to the wrong project/if the Jenkins job is misconfigured?

Oleg Nenashev added a comment - 2018-08-28 08:51

Moved the issue to the security bugtracker. It was open for 10 months in public, without response from maintainers

Oleg Nenashev added a comment - 2018-08-28 08:51 Moved the issue to the security bugtracker. It was open for 10 months in public, without response from maintainers

Daniel Beck added a comment - 2018-08-28 12:19

oleg_nenashev This is not a security vulnerability, please move it back.

Daniel Beck added a comment - 2018-08-28 12:19 oleg_nenashev This is not a security vulnerability, please move it back.

Oleg Nenashev added a comment - 2018-08-28 12:23

Oleg Nenashev added a comment - 2018-08-28 12:23 ok

vignesh nehru added a comment - 2020-04-20 20:08

Atleast your able to move the test from jenkins to Zephr with in Jira.For me the the jobs itself dont appear in the jenkins configuration and it says as 'No Project'

vignesh nehru added a comment - 2020-04-20 20:08 Atleast your able to move the test from jenkins to Zephr with in Jira.For me the the jobs itself dont appear in the jenkins configuration and it says as 'No Project'

Assignee:: Zephyr Developer

Reporter:: Manjunath Bhimareddy

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Created:: 2017-10-06 12:08

Updated:: 2020-04-20 20:08

Jenkins

Details

Description

Attachments

Activity

[JENKINS-53287] [zephyr-for-jira-test-management] - ZephyrforJiraPlugin: Security risk when the job is misconfigured

Collapse comment: Oleg Nenashev added a comment - 2018-08-28 08:51

Expand comment: Oleg Nenashev added a comment - 2018-08-28 08:51

Collapse comment: Daniel Beck added a comment - 2018-08-28 12:19

Expand comment: Daniel Beck added a comment - 2018-08-28 12:19

Collapse comment: Oleg Nenashev added a comment - 2018-08-28 12:23

Expand comment: Oleg Nenashev added a comment - 2018-08-28 12:23

Collapse comment: vignesh nehru added a comment - 2020-04-20 20:08

Expand comment: vignesh nehru added a comment - 2020-04-20 20:08

People

Dates