Uploaded image for project: 'Bamboo Artifactory Plug-in'
  1. Bamboo Artifactory Plug-in
  2. BAP-385

artifactoryAdminConfigServlet Displays Password Variables in Plaintext

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Blocker
    • Resolution: Fixed
    • Affects Version/s: 2.2.0
    • Fix Version/s: 2.3.0
    • Labels:
      None

      Description

      The endpoint <bamboo_host>/plugins/servlet/artifactoryAdminConfigServlet displays all Bamboo global/plan variables, including passwords in plain text, and does NOT require any credentials to view the page.

      It is critical that this is resolved as soon as possible as we rely on the Bamboo global variables to distribute the Artifactory credentials to all ~5000 build plans that are configured to upload to Artifactory. In our Artifactory environment, deploy access is restricted to our Bamboo ID or Artifactory admins.

      This page should either display **** in the password fields, require Bamboo administrator privileges to access, or not be exposed at all.

        Attachments

          Activity

            People

            • Assignee:
              yahavi Yahav Itzhak
              Reporter:
              matthew.perrault Matthew Perrault
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: