[OpenStack-Infra] JJB's use of inspect plugin info requires administrator permissions
Darragh Bailey
daragh.bailey at gmail.com
Tue Jun 14 19:13:01 UTC 2016
The 1.652.x series is an lts release, so fixes were backported to it that
are not in subsequent dev releases.
Darragh Bailey
"Nothing is foolproof to a sufficiently talented fool" - unknown
On 14 Jun 2016 20:02, "Zaro" <zaro0508 at gmail.com> wrote:
> ----- [ snippet ] ------------
> >
> > The behavior changed between 1.651.1 and 1.652.2.
> >
> > Specifically this was a security fix that came in with 1.652.2. See the
> > security fixes [0] that came with the release notes. Search for
> > SECURITY-250 or CVE-2016-3723.
> >
> > -Andy-
> >
> > [0]
> >
> https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-05-11
>
> Hmm. I just tested with Jenkins ver 1.653 and was still able to
> access plugin info using REST api as an anonymous user.
> I enabled security with following settings:
> * jenkins own db
> * logged-in user can do anything
> * prevent cross site request
>
> While not logged in I can get plugin info using
> '<jenkins-baseurl>/pluginManager/api/json?depth=1'
>
> Maybe this there's some setting you have enabled that's causing your
> jenkins to require admin to access plugin info?
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-infra/attachments/20160614/c796a4d3/attachment.html>
More information about the OpenStack-Infra
mailing list