[JENKINS-63530] Build Executor Status is shown for nodes where user has no access - Jenkins Jira

XML

Word

Printable

Details

Type: Improvement
Status: Open (View Workflow)
Priority: Minor
Resolution: Unresolved
Component/s: core
Labels:
- security
- user-experience
Environment:
Jenkins 2.235.5, SLES 11.3, role-strategy-plugin 3.0

Similar Issues:

Show

Description

Despite running jobs are filtered out by item roles, Build Executor Status is shown for nodes, which the user has no access via node roles.

This blows up the Build Executor Status with Build Processors from this nodes.

Additional an hacker gets information, that these nodes exist and can show some details about it, eg. Labels.

Attachments

Activity

Markus Winter added a comment - 2022-07-04 10:49

There is no permission in Jenkins that allows to hide the existence of an agent, similar to what we have for jobs (Job/Discover, and Job/Read). Such a thing needs to be implemented in Jenkins core directly so that also matrix auth would be able to work with this.

Markus Winter added a comment - 2022-07-04 10:49 There is no permission in Jenkins that allows to hide the existence of an agent, similar to what we have for jobs (Job/Discover, and Job/Read). Such a thing needs to be implemented in Jenkins core directly so that also matrix auth would be able to work with this.

People

Assignee:: Oleg Nenashev

Reporter:: Torsten Kleiber

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 2020-08-27 10:14

Updated:: 2022-07-04 10:49