[JIRA] (JENKINS-60962) credential plugin security issue

10 views
Skip to first unread message

sara.elmenshawy@valeo.com (JIRA)

unread,
Feb 4, 2020, 7:51:04 AM2/4/20
to jenkinsc...@googlegroups.com
sara elmenshawy created an issue
 
Jenkins / Bug JENKINS-60962
credential plugin security issue
Issue Type: Bug Bug
Assignee: Unassigned
Components: credentials-plugin
Created: 2020-02-04 12:50
Priority: Minor Minor
Reporter: sara elmenshawy

I'm currently using the credentials plugin to encrypt may username and password . However, in my pipeline script I found a way to hack the password by inserting a character in the password this causes the password to be printed clearly and since I'm the person who added the character if I removed it then I have the password.

 

This causes a huge security issue for us.
Add Comment Add Comment
 
This message was sent by Atlassian Jira (v7.13.6#713006-sha1:cc4451f)
Atlassian logo

sara.elmenshawy@valeo.com (JIRA)

unread,
Feb 4, 2020, 9:09:03 AM2/4/20
to jenkinsc...@googlegroups.com
sara elmenshawy updated an issue
Change By: sara elmenshawy
Priority: Minor Blocker

ian.williams1@telus.com (JIRA)

unread,
Feb 8, 2020, 2:13:02 AM2/8/20
to jenkinsc...@googlegroups.com
Ian Williams commented on Bug JENKINS-60962
 
Re: credential plugin security issue

You should probably be filing this as a Jenkins SECURITY Issue

ian.williams1@telus.com (JIRA)

unread,
Feb 8, 2020, 2:14:02 AM2/8/20
to jenkinsc...@googlegroups.com
Ian Williams edited a comment on Bug JENKINS-60962
You should probably be filing this as a [Jenkins SECURITY Issue|https://jenkins.io/security/ ] , along with the details to reproduce. Only you, tne Security Admin and the plugin maintainers will see the details. ]

Kalle.Niemitalo@procomp.fi (JIRA)

unread,
Feb 8, 2020, 3:18:03 AM2/8/20
to jenkinsc...@googlegroups.com

This seems a duplicate of JENKINS-50242; as documented, Jenkins does not attempt to prevent malicious pipelines from revealing credentials to which they have acess. See also JENKINS-42950 and Limitations of Credentials Masking (aka WEBSITE-610).

Kalle.Niemitalo@procomp.fi (JIRA)

unread,
Feb 8, 2020, 3:19:03 AM2/8/20
to jenkinsc...@googlegroups.com
Kalle Niemitalo edited a comment on Bug JENKINS-60962
This seems a duplicate of JENKINS-50242; as documented, Jenkins does not attempt to prevent malicious pipelines from revealing credentials to which they have acess access . See also JENKINS-42950 and [Limitations of Credentials Masking|https://jenkins.io/blog/2019/02/21/credentials-masking/] (aka WEBSITE-610).
Reply all
Reply to author
Forward
0 new messages