Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-72543

JENKINS_URL/_script only requires Overall/Read

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Minor Minor
    • core
    • Jenkins 2.440 and Jenkins LTS 2.426.1

      When anonymous read access is allowed, the following URL is accessible:
      "<JENKINS_URL>/_script" (please note the underscore!)

      Fortunately, trying to execute a script with the "Run" button leads to a redirect to the login page.

      In contrast, "<JENKINS_URL>/script" (without the underscore) is properly redirected to the login page by default.

      This issue can be reproduced, by installing the latest weekly release or LTS release, enabling anonymous read access in the security settings and accessing the mentioned URLs.

      1. Is there a legitimate reason to make the script console available under "<JENKINS_URL>/_script" (independent of the authentication issue)? Does something depend on that URL?
      2. If both questions under 1. can be answered with "No", I'd recommend removing access to the URL completely. If the answers to 1. are "Yes", I'd recommend fixing the missing authentication (it should have the same behavior as "<JENKINS_URL>/script").

            danielbeck Daniel Beck
            fredg Fred G
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated: