Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-60962

credential plugin security issue

    XMLWordPrintable

Details

    Description

      I'm currently using the credentials plugin to encrypt may username and password . However, in my pipeline script I found a way to hack the password by inserting a character in the password this causes the password to be printed clearly and since I'm the person who added the character if I removed it then I have the password.

       

      This causes a huge security issue for us.

      Attachments

        Issue Links

          Activity

            ianw Ian Williams added a comment - - edited

            You should probably be filing this as a Jenkins SECURITY Issue, along with the details to reproduce. Only you, tne Security Admin and the plugin maintainers will see the details.

            ianw Ian Williams added a comment - - edited You should probably be filing this as a Jenkins SECURITY Issue , along with the details to reproduce. Only you, tne Security Admin and the plugin maintainers will see the details.
            kon Kalle Niemitalo added a comment - - edited

            This seems a duplicate of JENKINS-50242; as documented, Jenkins does not attempt to prevent malicious pipelines from revealing credentials to which they have access. See also JENKINS-42950 and Limitations of Credentials Masking (aka WEBSITE-610).

            kon Kalle Niemitalo added a comment - - edited This seems a duplicate of JENKINS-50242 ; as documented, Jenkins does not attempt to prevent malicious pipelines from revealing credentials to which they have access. See also JENKINS-42950 and Limitations of Credentials Masking (aka WEBSITE-610 ).

            selmensh Thank you for the report, but as mentionned by ianw, if you have a security issue, please use the Security tracker, as mentionned in https://www.jenkins.io/security/reporting/

            Secondly, as mentionned by kon, the documentation is clear about this part. As a user with Job/Configure, you have access to the credentials for your pipeline. We cannot differentiate a legit usage of the credentials inside a curl command and a malicious one, both are using the plain text value of the credentials, one for building something and the other to steal the credentials.

            I will close this ticket as not a defect and invite you to use different approach to protect your instance/credentials. For example, you can limit the credentials per folders and then restrict access of the users to that folder.

            wfollonier Wadeck Follonier added a comment - selmensh Thank you for the report, but as mentionned by ianw , if you have a security issue, please use the Security tracker, as mentionned in https://www.jenkins.io/security/reporting/ Secondly, as mentionned by kon , the documentation is clear about this part. As a user with Job/Configure, you have access to the credentials for your pipeline. We cannot differentiate a legit usage of the credentials inside a curl command and a malicious one, both are using the plain text value of the credentials, one for building something and the other to steal the credentials. I will close this ticket as not a defect and invite you to use different approach to protect your instance/credentials. For example, you can limit the credentials per folders and then restrict access of the users to that folder.

            People

              Unassigned Unassigned
              selmensh sara elmenshawy
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: