Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-69278

Missing permission check allows listing workspace contents

      There is currently a security alert for this plugin, but the SECURITY-2404 issue is still private.

      Is work being done on it? Can a fix be expected any time soon?

          [JENKINS-69278] Missing permission check allows listing workspace contents

          Mark Waite added a comment - - edited

          The security issue is described in the July 27, 2022 security advisory. I'm reasonably confident that no work is currently being done to resolve the issue.

          The security team contacts plugin maintainers and gives them a reasonable time to fix the issue before they publish a security advisory. If the maintainer does not respond or does not provide the fix, then the advisory is published to note that there is a known issue in the plugin.

          We'd love to have you or someone at your employer adopt the plugin, resolve the security issue, and release a new version of the plugin. There is a five part video series on adopting a plugin and a three part video series on resolving a vulnerability in a plugin. If you prefer written instructions, there is the "Contributing to Open Source" document that guides many of the same steps.

          Mark Waite added a comment - - edited The security issue is described in the July 27, 2022 security advisory . I'm reasonably confident that no work is currently being done to resolve the issue. The security team contacts plugin maintainers and gives them a reasonable time to fix the issue before they publish a security advisory. If the maintainer does not respond or does not provide the fix, then the advisory is published to note that there is a known issue in the plugin. We'd love to have you or someone at your employer adopt the plugin , resolve the security issue, and release a new version of the plugin. There is a five part video series on adopting a plugin and a three part video series on resolving a vulnerability in a plugin. If you prefer written instructions, there is the "Contributing to Open Source" document that guides many of the same steps.

          I have created a pull-request: https://github.com/jenkinsci/android-signing-plugin/pull/3

          restjohn Kindly review.

          Sandeep Kumar Mahapatra added a comment - I have created a pull-request: https://github.com/jenkinsci/android-signing-plugin/pull/3 restjohn Kindly review.

          markewaite Willing to help but I really have poor knowlege about it. I know that we have jelly form and I read some documentation but for instance the sign plugin project ANDROID_HOME or other variable that ask to sign some package and so on what exact we need to avoid because ANDROID_HOME can be out of the workspace because it's an external tool

          Michael Nazzareno added a comment - markewaite Willing to help but I really have poor knowlege about it. I know that we have jelly form and I read some documentation but for instance the sign plugin project ANDROID_HOME or other variable that ask to sign some package and so on what exact we need to avoid because ANDROID_HOME can be out of the workspace because it's an external tool

          Mark Waite added a comment -

          panicking I don't know the plugin to be able to help with the question

          Mark Waite added a comment - panicking I don't know the plugin to be able to help with the question

            panicking Michael Nazzareno
            jameshowe James Howe
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated: