[JIRA] (JENKINS-49663) pre-authentication information leak from cli's add-job-to-view
Title: Message Title Assaf Berg created an issue Jenkins / JENKINS-49663 pre-authentication information leak from cli's add-job-to-view Issue Type: Bug Assignee: Unassigned Components: core Created: 2018-02-20 23:12 Environment: Jenkins 2.89.4 (using the official docker image) Security enabled (authenticated users can do anything) Remoting disabled Labels: security Priority: Minor Reporter: Assaf Berg When accessing the CLI over HTTP without authentication getting different error messages which allows an attacker to deduce existence of views: When the view exists getting the correct message: $ java -jar jenkins-cli.jar -s https://my-jenkins add-job-to-view ExistingView SomeJob ERROR: anonymous is missing the View/Read permission When the view doesn't exist getting a different message: $ java -jar jenkins-cli.jar -s https://my-jenkins add-job-to-view NonExistingView SomeJob ERROR: No view named NonExistingView inside view Jenkins I think the permission check should be done first to avoid leaking information. Although this information doesn't seem critical this behavior is worrying and there might be other (or future) cases where critical information will be revealed to unauthenticated users.
[JIRA] (JENKINS-49663) pre-authentication information leak from cli's add-job-to-view
Title: Message Title Assaf Berg updated an issue Jenkins / JENKINS-49663 pre-authentication information leak from cli's add-job-to-view Change By: Assaf Berg When accessing the CLI over HTTP without authentication getting different error messages which allows an attacker to deduce existence of views: When the view exists getting the correct message:$ java -jar jenkins-cli.jar -s [ https://my-jenkins |https://my-jenkins/] add-job-to-view ExistingView SomeJobERROR: anonymous is missing the View/Read permission When the view doesn't exist getting a different message:$ java -jar jenkins-cli.jar -s [ https://my-jenkins |https://my-jenkins/] add-job-to-view NonExistingView SomeJobERROR: No view named NonExistingView inside view Jenkins I think the permission check should be done first to avoid leaking information. Although this information doesn't seem critical this behavior is worrying and there might be other (or future) cases where critical information will be revealed to unauthenticated users. May be related to JENKINS-43963 although that issue is not concerned with security but rather usability. Add Comment This message was sent by Atlassian JIRA (v7.3.0#73011-sha1:3c73d0e)