Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-56128

Job import plugin allows credential dumping

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Minor Minor
    • job-import-plugin
    • None
    • Jenkins ver. 2.150.2

      Logged into Jenkins with a valid user, no unrestricted credentials assigned/scoped to my user.  No permission to view or add credentials assigned to my user.  Job import plugin has several users available, appearing in the dropdown as "username/***********".  If I enter a query URL for an http server that I control and select one of these credentials, the password is transmitted in base64 encoding in the HTTP get request.  This essentially allows me to dump any of these stored credentials despite not being allowed to access them through the credentials page.

       

      It's possible that I misunderstand this functionality or that we have a misconfiguration, but this seems abuseable.  

            Unassigned Unassigned
            ninjaambush Joshua Ganger
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated: