![]() |
|
|
|
|
Change By:
|
Walter Kacynski
(10/Sep/14 2:47 PM)
|
|
Description:
|
Currently, if a user without configuration access to a job can read the job they have access to the link "Environment variables". This allows the non-privileged user to see the password hashes.
If they have Config access to a
difference
different
folder on the same master, they can use this password hash to expose the password and take control of the account
by using the CLI to directly change the job config
.
xml
I propose that this link or at least the password hashes be restricted to only users with job config access.
|
|
|
|
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators.
For more information on JIRA, see: http://www.atlassian.com/software/jira
|
--
You received this message because you are subscribed to the Google Groups "Jenkins Issues" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
jenkinsci-issues+unsubscr...@googlegroups.com.
For more options, visit
https://groups.google.com/d/optout.
