Hi everyone,
I’ve recently had a pentest to my jira instance and they’ve found that you can access and edit other user’s profiles. I’m running Jenkins 2.528.3 and using the Active Directory and Role-based Authorisation Strategy plugins to handle authentication and permissions.
What solutions are there to prevent any user from accessing other user’s profile page?
If anyone runs into this issue, I was able to solve this using nginx to redirect all requests from /user/username to /me using:
location ~ ^/user/[^/]+(/.*)?$ {
return 301 /me$1;
}
This keeps all functionality for the user’s own profile, while preventing access to other users’ pages.
As a normal user you can visit other users profiles but you don’t see much there.
On the profile page just the user id and maybe some groups, the builds page where you see on which job runs the user was involved. And maybe some plugins allow seeing something.
But you should not be able to modify anything or get access to sensitive data.
As admin you can see everything but as admin you can also access the file system and read the data from there so that makes no difference.