Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-71591

Connecting agent to jenkins node with invalid secret key

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Minor Minor
    • core
    • Jenkins 2.332.3 and Jenkins 2.401.2 on Linux Environment
      Agent on Windows

      Hi,
      Agents establish a connection using the jnlp command when the secret key first 32 characters are provided instead of the all 64-characters secret key.
      e.g.
      following is command line provided by jenkins to connect agent to jenkins node

      java -jar [agent.jar](Jenkins URL/jnlpJars/agent.jar) -jnlpUrl Jenkins URL/computer//jenkins-agent.jnlp -secret 9b52b3f7ad1fb603bee7315d0644adc98965038fcf44672be9dc053c59ee0448

      but if I remove last 32 charector of secret key, It still getting connected.

      java -jar [agent.jar](Jenkins URL/jnlpJars/agent.jar) -jnlpUrl Jenkins URL/computer//jenkins-agent.jnlp -secret 9b52b3f7ad1fb603bee7315d0644adc9

      using jenkins version 2.332.3

          [JENKINS-71591] Connecting agent to jenkins node with invalid secret key

          Asif created issue -
          Mark Waite made changes -
          Component/s New: core [ 15593 ]
          Component/s Original: agent-server-parameter-plugin [ 27422 ]
          Mark Waite made changes -
          Priority Original: Critical [ 2 ] New: Minor [ 4 ]
          Mark Waite made changes -
          Released As Original: 2.332.3
          Mark Waite made changes -
          Epic Link Original: JENKINS-45428 [ 183596 ]
          Mark Waite made changes -
          Environment Original: Jenkins on Linux Environment
          Agent on Windows           		New: Jenkins 2.332.3 and Jenkins 2.401.2 on Linux Environment
          Agent on Windows

          Lev added a comment -

          Given that this cuts the secret key down to 32 characters and it only uses numbers + lower case characters, and there is no throttling system that I am aware of, this seems like a potential security vulnerability.

          Lev added a comment - Given that this cuts the secret key down to 32 characters and it only uses numbers + lower case characters, and there is no throttling system that I am aware of, this seems like a potential security vulnerability.
          Lev made changes -
          Labels Original: jenkins New: jenkins security

            bluersw Sun WeiSheng
            asifsethar Asif
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated: