Broken Jelly permission check creates MANAGE_DOMAINS user

This issue is archived. You can view it, but you can't modify it. Learn more

XMLWordPrintable

    • credentials-2.2.1

      https://github.com/jenkinsci/credentials-plugin/blob/11873056e05470405fa004adbd2967d96eeafa12/src/main/resources/com/cloudbees/plugins/credentials/ViewCredentialsAction/action.jelly#L39

      it is a User, and this ends up calling static User#get(String)

      This does not impact security, but the check will succeed, and the "Add domain" link will be shown to users without the necessary permission.

            Assignee:
            Daniel Beck
            Reporter:
            Daniel Beck
            Archiver:
            Jenkins Service Account

              Created:
              Updated:
              Resolved:
              Archived: