[JENKINS-63530] Build Executor Status is shown for nodes where user has no access

Type: Improvement
Resolution: Unresolved
Priority: Minor
Component/s: core
Labels:
- security
- user-experience
Environment:
Jenkins 2.235.5, SLES 11.3, role-strategy-plugin 3.0

Similar Issues:
Powered by SuggestiMate

Show

Despite running jobs are filtered out by item roles, Build Executor Status is shown for nodes, which the user has no access via node roles.

This blows up the Build Executor Status with Build Processors from this nodes.

Additional an hacker gets information, that these nodes exist and can show some details about it, eg. Labels.

Markus Winter added a comment - 2022-07-04 10:49

There is no permission in Jenkins that allows to hide the existence of an agent, similar to what we have for jobs (Job/Discover, and Job/Read). Such a thing needs to be implemented in Jenkins core directly so that also matrix auth would be able to work with this.

Markus Winter added a comment - 2022-07-04 10:49 There is no permission in Jenkins that allows to hide the existence of an agent, similar to what we have for jobs (Job/Discover, and Job/Read). Such a thing needs to be implemented in Jenkins core directly so that also matrix auth would be able to work with this.

Assignee:: Oleg Nenashev

Reporter:: Torsten Kleiber

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Created:: 2020-08-27 10:14

Updated:: 2022-07-04 10:49

Jenkins

Details

Description

Attachments

Activity

Collapse comment: Markus Winter added a comment - 2022-07-04 10:49

Expand comment: Markus Winter added a comment - 2022-07-04 10:49

People

Dates