![]() |
|
|
|
|
Issue Type:
|
![Bug]() Bug
|
|
Assignee:
|
Gregory Boissinot
|
|
Components:
|
envinject |
|
Created:
|
15/Aug/14 1:36 PM
|
|
Description:
|
Currently, if a user without configuration access to a job can read the job they have access to the link "Environment variables". This allows the non-privileged user to see the password hashes.
If they have Config access to a difference folder on the same master, they can use this password hash to expose the password and take control of the account.
I propose that this link or at least the password hashes be restricted to only users with job config access.
|
|
Project:
|
Jenkins
|
|
Priority:
|
![Critical]() Critical
|
|
Reporter:
|
Walter Kacynski
|
|
|
|
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators.
For more information on JIRA, see: http://www.atlassian.com/software/jira
|
--
You received this message because you are subscribed to the Google Groups "Jenkins Issues" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
[email protected].
For more options, visit
https://groups.google.com/d/optout.
