![]() |
|
|
|
|
Issue Type:
|
![Bug]() Bug
|
|
Assignee:
|
Unassigned |
|
Components:
|
subversion |
|
Created:
|
11/Feb/14 1:38 PM
|
|
Description:
|
Everybody who has job configuration access rights (a so called job configurator) can select any subversion repository user configured centrally in jenkins. In past versions the job configurator must knew the user and password combination of the used subversion repository. Now it is possible that the job configurator can configure a subversion repository without having access rights but only knowing the URL and the user login but not knowing the password. So the job configurator can bypass subversion repository access restrictions to gain access to that repository content.
We have about 200 jobs configured and using project specific authorization. Lots of jobs have active NDAs. So this is a serious security issue for us.
|
|
Project:
|
Jenkins
|
|
Labels:
|
subversion
|
|
Priority:
|
![Critical]() Critical
|
|
Reporter:
|
Steffen Mork
|
|
|
|
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators.
For more information on JIRA, see: http://www.atlassian.com/software/jira
|
--
You received this message because you are subscribed to the Google Groups "Jenkins Issues" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com.
For more options, visit
https://groups.google.com/groups/opt_out.
