Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-72974

Bug in Email Extension plugin: we can use any email address in the 'from' field and kind of impersonate anybody.

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Duplicate
    • Icon: Critical Critical
    • email-ext-plugin
    • None

      When we use the plugin email-exit , we can give any email id in the 'from' field and it will send an email from the ID which is specified in the 'from' field.

      Example pipeline:

      pipeline {
          agent any
          stages {
              stage('test') {
                  steps

      {                 // Your build steps here                 echo 'Building...'                 // Send email notification using emailext plugin within the build stage                 emailext mimeType: 'text/html',                          body: 'Test Message',                           subject: 'test sub',                          from: 'noorjahan.s@allianz.com',                          to: 'noorus1218@gmail.com'             }

              }
          }
      }

      Here, the mail will come from noorjahan.s@allianz.com. If I change the from mail id to somebody else, say renjith@allianz.com then a mail from renjith@allianz.com is received. And the mail is not visible in the sent items of the sender. So in this way, anybody can change the from mail id and send emails from others' email id by impersonating them.

            Unassigned Unassigned
            noorjahans Noorjahan
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: