[OpenStack-Infra] JJB's use of inspect plugin info requires administrator permissions

Zaro zaro0508 at gmail.com
Tue Jun 14 19:02:20 UTC 2016


----- [ snippet ] ------------
>
> The behavior changed between 1.651.1 and 1.652.2.
>
> Specifically this was a security fix that came in with 1.652.2. See the
> security fixes [0] that came with the release notes. Search for
> SECURITY-250 or CVE-2016-3723.
>
> -Andy-
>
> [0]
> https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-05-11

Hmm.  I just tested with Jenkins ver 1.653 and was still able to
access plugin info using REST api as an anonymous user.
I enabled security with following settings:
 * jenkins own db
 * logged-in user can do anything
 * prevent cross site request

While not logged in I can get plugin info using
'<jenkins-baseurl>/pluginManager/api/json?depth=1'

Maybe this there's some setting you have enabled that's causing your
jenkins to require admin to access plugin info?



More information about the OpenStack-Infra mailing list