Uploaded image for project: 'Bamboo Artifactory Plug-in'
  1. Bamboo Artifactory Plug-in
  2. BAP-385

artifactoryAdminConfigServlet Displays Password Variables in Plaintext

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Blocker
    • Resolution: Fixed
    • Affects Version/s: 2.2.0
    • Fix Version/s: 2.3.0
    • Labels:
      None

      Description

      The endpoint <bamboo_host>/plugins/servlet/artifactoryAdminConfigServlet displays all Bamboo global/plan variables, including passwords in plain text, and does NOT require any credentials to view the page.

      It is critical that this is resolved as soon as possible as we rely on the Bamboo global variables to distribute the Artifactory credentials to all ~5000 build plans that are configured to upload to Artifactory. In our Artifactory environment, deploy access is restricted to our Bamboo ID or Artifactory admins.

      This page should either display **** in the password fields, require Bamboo administrator privileges to access, or not be exposed at all.

        Attachments

          Activity

            People

            Assignee:
            yahavi Yahav Itzhak
            Reporter:
            matthew.perrault Matthew Perrault
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: