Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-65949

Unauthenticated users can read all on asynchPeople link when Annonymous user has global read role

XMLWordPrintable

    • Icon: Task Task
    • Resolution: Unresolved
    • Icon: Minor Minor
    • core
    • None
    • jenkins 2.263.4, redHat 7, RoleBasedStrategy Plugin

      The error occurs when the anonymous user is granted global read permissions.
      All unauthenticated users can dump the information by entering the asynchPeople link.

      We are using the Roles plugin (Role based Strategy) and we grant the global read to the anonymous user so that all users have visibility of what the rest of the teams are doing.
      But in our organization, obtaining personal information from other users is considered a serious security violation.
      they should only have access to see the pipeliens and folders.

        1. role_read_on_annonymous_user.png
          role_read_on_annonymous_user.png
          185 kB
        2. asynchPeople_can_read_user_unauthenticated.png
          asynchPeople_can_read_user_unauthenticated.png
          232 kB

            Unassigned Unassigned
            d3camp0s Diego Campos
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated: