[JIRA] [config-file-provider] (JENKINS-25031) Credentials metadata leak in ServerCredentialMapping

[jgl...@cloudbees.com (JIRA)]

Jesse Glick created JENKINS-25031 Credentials metadata leak in ServerCredentialMapping Issue Type: Bug Assignee: Dominik Bartholdi Components: config-file-provider Created: 07/Oct/14 9:22 PM Description: ServerCredentialMapping.DescriptorImpl.doFillCredentialsIdItems should probably start with if (context == null || !context.hasPermission(Item.CONFIGURE)) { return new ListBoxModel(); } lest it expose credentials IDs and descriptions to anonymous users. This is assuming that context is actually expected to be non-null. Though if so, why is CredentialsHelper.findValidCredentials ignoring it? If there is no item context, check something, such as Jenkins.getInstance().hasPermission(Jenkins.ADMINISTER). Project: Jenkins Labels: security credentials Priority: Blocker Reporter: Jesse Glick

This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators. For more information on JIRA, see: http://www.atlassian.com/software/jira

--
You received this message because you are subscribed to the Google Groups "Jenkins Issues" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.