Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-56128

Job import plugin allows credential dumping

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Open (View Workflow)
    • Priority: Minor
    • Resolution: Unresolved
    • Component/s: job-import-plugin
    • Labels:
      None
    • Environment:
      Jenkins ver. 2.150.2
    • Similar Issues:

      Description

      Logged into Jenkins with a valid user, no unrestricted credentials assigned/scoped to my user.  No permission to view or add credentials assigned to my user.  Job import plugin has several users available, appearing in the dropdown as "username/***********".  If I enter a query URL for an http server that I control and select one of these credentials, the password is transmitted in base64 encoding in the HTTP get request.  This essentially allows me to dump any of these stored credentials despite not being allowed to access them through the credentials page.

       

      It's possible that I misunderstand this functionality or that we have a misconfiguration, but this seems abuseable.  

        Attachments

          Activity

          There are no comments yet on this issue.

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            ninjaambush Joshua Ganger
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated: