-
Bug
-
Resolution: Duplicate
-
Critical
-
None
When we use the plugin email-exit , we can give any email id in the 'from' field and it will send an email from the ID which is specified in the 'from' field.
Example pipeline:
pipeline {
agent any
stages {
stage('test') {
steps
}
}
}
Here, the mail will come from noorjahan.s@allianz.com. If I change the from mail id to somebody else, say renjith@allianz.com
then a mail from renjith@allianz.com
is received. And the mail is not visible in the sent items of the sender. So in this way, anybody can change the from mail id and send emails from others' email id by impersonating them.
- duplicates
-
JENKINS-71925 Deprecation of jobs modifying the 'from' email field
-
- Open
-
Unsure this is really a bug. Instead, configure a mail server/email account in Jenkins that is not authorized for arbitrary senders from your domain.