-
Bug
-
Resolution: Fixed
-
Minor
-
-
(unreleased)
Credentials plugin allows updating credentials IDs server-side. Only the UI prevents editing the ID field by default, and that can be circumvented by users with permission to update credentials.
As this ID collision is unexpected, the credentials management UI does not handle this case well (e.g., only listing one of the credentials with conflicting IDs).
This should be fixed so that credentials cannot have the same ID in the same store.
We've considered treating this as a vulnerability, but the impact is very similar to what users with Credentials/Update permission can accomplish legitimately (e.g., changing credentials to break builds), so we decided to not consider this to be a security issue.
- relates to
-
JENKINS-72618 remove legacy support for non ID based credentials
-
- Open
-
- links to
[JENKINS-72611] Credentials IDs can be edited
| Labels | New: security |
Yaroslav Afenkin
made changes -
| Assignee | New: Yaroslav Afenkin [ yafenkin ] |
| Component/s | New: cloudbees-folder-plugin [ 18137 ] |
| Resolution | New: Fixed [ 1 ] | |
| Status | Original: Open [ 1 ] | New: Fixed but Unreleased [ 10203 ] |
| Released As | New: https://github.com/jenkinsci/credentials-plugin/releases/tag/1317.v0ce519a_92b_3e https://github.com/jenkinsci/cloudbees-folder-plugin/releases/tag/6.899.vce8a_b_439f106 | |
| Status | Original: Fixed but Unreleased [ 10203 ] | New: Resolved [ 5 ] |
| Resolution | Original: Fixed [ 1 ] | |
| Status | Original: Resolved [ 5 ] | New: Reopened [ 4 ] |
| Link | New: This issue relates to JENKINS-72618 [ JENKINS-72618 ] |
PR was reverted due to multiple regressions