According to my understanding the master communicates with the slaves by sending and receiving java objects. AFAIK there is no validation for the objects the master receives from the slaves. So, even though there is no easy way for a random dude to inject his own objects into the stream, if that were to happen, the master would trust the slaves and would use the objects.
The reverse problem also exists: the master can execute any commands on the slaves and depending on the master security settings, people you do not trust might be able to execute commands on the slave if they can create or change job configurations or access the script console. Do not run slaves on hosts you do to trust or run a slave for a master you do not trust. -- Sami Matthew Buckett <buck...@gmail.com> kirjoitti 30.3.2012 kello 22.23: > On the wiki page https://wiki.jenkins-ci.org/display/JENKINS/Securing+Jenkins > it mentions that slaves are able to execute code on the master node. > > Is this page correct, is the jenkins master only as secure as the weakest > node? > > Thanks. > > Matthew Buckett
