Bug 573993 - Username Compromised using jenkins
Summary: Username Compromised using jenkins
Status: RESOLVED FIXED
Alias: None
Product: Viatra
Classification: Modeling
Component: Common (show other bugs)
Version: unspecified   Edit
Hardware: PC Windows 10
: P3 normal
Target Milestone: ---   Edit
Assignee: Zoltan Ujhelyi CLA
QA Contact:
URL:
Whiteboard:
Keywords: security
Depends on:
Blocks:
 
Reported: 2021-06-03 16:45 EDT by amol londhe CLA
Modified: 2021-09-23 17:13 EDT (History)
3 users (show)

See Also:

Attachments
poc (394.41 KB, application/x-zip-compressed)
2021-06-03 16:45 EDT, amol londhe CLA 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description amol londhe CLA 2021-06-03 16:45:16 EDT 
Created attachment 286522 [details]
poc

Ecpilse.org/viatra exposed a Jenkins server on the internet without any authentication, this allowed to see the users listed in https://build.incquerylabs.com/jenkins/view/All/asynchPeople/.and also anyone can create a user account to the Jenkins server.
Comment 1 Denis Roy CLA 2021-06-03 16:53:14 EDT 
I'll reassign this to the project in question, as this has nothing to do with the Eclipse CI systems.
Comment 2 Zoltan Ujhelyi CLA 2021-06-04 02:47:38 EDT 
This server is not related to the VIATRA project but a separate one maintained by IncQuery Labs; we are already planning to close it down. I am assigning this issue to myself and keep it open until it happens.
Comment 3 amol londhe CLA 2021-06-04 13:40:28 EDT 
@zoltan I hope the security bug is considered and triage.
Comment 4 amol londhe CLA 2021-06-12 15:44:25 EDT 
@zoltan.ujhelyi@incquerylabs.com any update
Comment 5 Zoltan Ujhelyi CLA 2021-08-12 08:30:07 EDT 
The Jenkins instance is no more available from the public internet without login.
Comment 6 Denis Roy CLA 2021-08-12 08:55:42 EDT 
Thanks!
Comment 7 amol londhe CLA 2021-08-16 16:59:14 EDT 
@zoltan.ujhelyi@incquerylabs.com No bounty for this ???
Comment 8 amol londhe CLA 2021-09-13 14:47:09 EDT 
y no reply ????
Comment 9 amol londhe CLA 2021-09-23 17:09:48 EDT 
?????????
Comment 10 Denis Roy CLA 2021-09-23 17:13:02 EDT 
There is no bounty offered. Thanks for your contribution.