[JENKINS-60962] credential plugin security issue

Type: Bug
Resolution: Not A Defect
Priority: Blocker
Component/s: credentials-plugin
Labels:
None

Similar Issues:
Powered by SuggestiMate

Show

I'm currently using the credentials plugin to encrypt may username and password . However, in my pipeline script I found a way to hack the password by inserting a character in the password this causes the password to be printed clearly and since I'm the person who added the character if I removed it then I have the password.

This causes a huge security issue for us.

duplicates

JENKINS-50242 withCredentials step masking easily bypassed

Resolved

relates to

JENKINS-42950 credentials-binding-plugin not masking secret text when it includes a single quote

Resolved

sara elmenshawy created issue - 2020-02-04 12:50

sara elmenshawy made changes - 2020-02-04 14:08

Priority

Original: Minor [ 4 ]

New: Blocker [ 1 ]

Ian Williams added a comment - 2020-02-08 07:12 - edited

You should probably be filing this as a Jenkins SECURITY Issue, along with the details to reproduce. Only you, tne Security Admin and the plugin maintainers will see the details.

Ian Williams added a comment - 2020-02-08 07:12 - edited You should probably be filing this as a Jenkins SECURITY Issue , along with the details to reproduce. Only you, tne Security Admin and the plugin maintainers will see the details.

Kalle Niemitalo added a comment - 2020-02-08 08:17 - edited

This seems a duplicate of ~~JENKINS-50242~~; as documented, Jenkins does not attempt to prevent malicious pipelines from revealing credentials to which they have access. See also ~~JENKINS-42950~~ and Limitations of Credentials Masking (aka WEBSITE-610).

Kalle Niemitalo added a comment - 2020-02-08 08:17 - edited This seems a duplicate of JENKINS-50242 ; as documented, Jenkins does not attempt to prevent malicious pipelines from revealing credentials to which they have access. See also JENKINS-42950 and Limitations of Credentials Masking (aka WEBSITE-610).

Kalle Niemitalo made changes - 2020-02-08 08:17

Link

New: This issue duplicates ~~JENKINS-50242~~ [ ~~JENKINS-50242~~ ]

Kalle Niemitalo made changes - 2020-02-08 08:18

Link

New: This issue relates to ~~JENKINS-42950~~ [ ~~JENKINS-42950~~ ]

Kalle Niemitalo made changes - 2020-02-08 08:19

Link

New: This issue relates to WEBSITE-610 [ WEBSITE-610 ]

Wadeck Follonier added a comment - 2020-05-18 07:51

selmensh Thank you for the report, but as mentionned by ianw, if you have a security issue, please use the Security tracker, as mentionned in https://www.jenkins.io/security/reporting/

Secondly, as mentionned by kon, the documentation is clear about this part. As a user with Job/Configure, you have access to the credentials for your pipeline. We cannot differentiate a legit usage of the credentials inside a curl command and a malicious one, both are using the plain text value of the credentials, one for building something and the other to steal the credentials.

I will close this ticket as not a defect and invite you to use different approach to protect your instance/credentials. For example, you can limit the credentials per folders and then restrict access of the users to that folder.

Wadeck Follonier added a comment - 2020-05-18 07:51 selmensh Thank you for the report, but as mentionned by ianw , if you have a security issue, please use the Security tracker, as mentionned in https://www.jenkins.io/security/reporting/ Secondly, as mentionned by kon , the documentation is clear about this part. As a user with Job/Configure, you have access to the credentials for your pipeline. We cannot differentiate a legit usage of the credentials inside a curl command and a malicious one, both are using the plain text value of the credentials, one for building something and the other to steal the credentials. I will close this ticket as not a defect and invite you to use different approach to protect your instance/credentials. For example, you can limit the credentials per folders and then restrict access of the users to that folder.

Wadeck Follonier made changes - 2020-05-18 07:52

Resolution		New: Not A Defect [ 7 ]
Status	Original: Open [ 1 ]	New: Closed [ 6 ]

Assignee:: Unassigned

Reporter:: sara elmenshawy

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Created:: 2020-02-04 12:50

Updated:: 2020-05-18 07:52

Resolved:: 2020-05-18 07:52

Details

Description

Attachments

Issue Links

Activity

Collapse comment: Ian Williams added a comment - 2020-02-08 07:12, Edited by Ian Williams - 2020-02-08 07:13

Expand comment: Ian Williams added a comment - 2020-02-08 07:12, Edited by Ian Williams - 2020-02-08 07:13

Collapse comment: Kalle Niemitalo added a comment - 2020-02-08 08:17, Edited by Kalle Niemitalo - 2020-02-08 08:18

Expand comment: Kalle Niemitalo added a comment - 2020-02-08 08:17, Edited by Kalle Niemitalo - 2020-02-08 08:18

Collapse comment: Wadeck Follonier added a comment - 2020-05-18 07:51

Expand comment: Wadeck Follonier added a comment - 2020-05-18 07:51

People

Dates