search

gmacario / easy-jenkins

Easily deploy a Jenkins CI/CD infrastructure via docker-compose
MIT License
35 stars 9 forks source link

GitHub Pull Request Builder 1.40.0: GitHub access tokens stored in in build.xml #258

Closed gmacario closed 6 years ago

gmacario commented 6 years ago

As displayed after a scratch installation of easy-jenkins master (8af0182be6b549c2321975f9ac13782eb57ea6ae)

image

gmacario commented 6 years ago

From https://jenkins.io/security/advisory/2018-03-26/#SECURITY-261

SECURITY-261

GitHub Pull Request Builder Plugin stored serialized objects in build.xml files that contained the credential used to poll Jenkins. This can be used by users with master file system access to obtain GitHub credentials.

Since 1.40.0, the plugin no longer stores serialized objects containing the credential on disk.

Builds started before the plugin was updated to 1.40.0 will retain the encoded credentials on disk. We strongly recommend revoking old GitHub credentials used in Jenkins. We’re providing a script for use in the Script Console that will attempt to remove old stored credentials from build.xml files.