Bug 573993

Summary: Username Compromised using jenkins
Product: [Modeling] Viatra Reporter: amol londhe <amollondhe_2007>
Component: CommonAssignee: Zoltan Ujhelyi <zoltan.ujhelyi>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: P3 CC: denis.roy, webmaster, zoltan.ujhelyi
Version: unspecifiedKeywords: security
Target Milestone: ---   
Hardware: PC   
OS: Windows 10   
Whiteboard:
Attachments:
Description Flags
poc none

Description amol londhe CLA 2021-06-03 16:45:16 EDT 
Created attachment 286522 [details]
poc

Ecpilse.org/viatra exposed a Jenkins server on the internet without any authentication, this allowed to see the users listed in https://build.incquerylabs.com/jenkins/view/All/asynchPeople/.and also anyone can create a user account to the Jenkins server.
Comment 1 Denis Roy CLA 2021-06-03 16:53:14 EDT 
I'll reassign this to the project in question, as this has nothing to do with the Eclipse CI systems.
Comment 2 Zoltan Ujhelyi CLA 2021-06-04 02:47:38 EDT 
This server is not related to the VIATRA project but a separate one maintained by IncQuery Labs; we are already planning to close it down. I am assigning this issue to myself and keep it open until it happens.
Comment 3 amol londhe CLA 2021-06-04 13:40:28 EDT 
@zoltan I hope the security bug is considered and triage.
Comment 4 amol londhe CLA 2021-06-12 15:44:25 EDT 
@zoltan.ujhelyi@incquerylabs.com any update
Comment 5 Zoltan Ujhelyi CLA 2021-08-12 08:30:07 EDT 
The Jenkins instance is no more available from the public internet without login.
Comment 6 Denis Roy CLA 2021-08-12 08:55:42 EDT 
Thanks!
Comment 7 amol londhe CLA 2021-08-16 16:59:14 EDT 
@zoltan.ujhelyi@incquerylabs.com No bounty for this ???
Comment 8 amol londhe CLA 2021-09-13 14:47:09 EDT 
y no reply ????
Comment 9 amol londhe CLA 2021-09-23 17:09:48 EDT 
?????????
Comment 10 Denis Roy CLA 2021-09-23 17:13:02 EDT 
There is no bounty offered. Thanks for your contribution.