Global (default) passwords get exposed to less privileged users

Details

  • Type: Bug Bug
  • Status: Closed Closed
  • Priority: Critical Critical
  • Resolution: Fixed
  • Affects Version/s: None
  • Fix Version/s: 3.0
  • Component/s: Administration, API
  • Labels:
  • Environment:
    Sonar 2.12
    Solaris

Description

Our enterprise environment is setup with very high security restrictions...
The main administrator for our CI infrastructure has setup Sonar with some technical user to connect to all the different surrounding systems (e.g. SVN, Jenkins, Oracle) and has defined these connection details and passwords on the global configuration.
This was fine until we upgraded to the latest Sonar version (2.12) - since, every administrator of a single project is able to see the passwords given by the global admin within the settings page (mention as default next to the field).
Since this is a full no go in our company, we have deactivated every single plugin using some additional passwords to connect to any system.
...in fact, because of this I would rate this issue even a full blocker and a high security issues!

Issue Links

depends upon

Improvement - An improvement or enhancement to an existing feature or task. SONAR-1378 API: define property type

  • Critical - Crashes, loss of data, severe memory leak.
  • Closed - The issue is considered finished, the resolution is correct. Issues which are not closed can be reopened.
relates to

Improvement - An improvement or enhancement to an existing feature or task. SONARPLUGINS-1068 Use masked password field

  • Major - Major loss of function.
  • Open - The issue is open and ready for the assignee to start work on it.

Improvement - An improvement or enhancement to an existing feature or task. SONARPLUGINS-1072 Use masked password field

  • Major - Major loss of function.
  • Resolved - A resolution has been taken, and it is awaiting verification by reporter. From here issues are either reopened, or are closed.

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Antonio Manuel Muñiz Martín added a comment -

Hi,

I think this issue is related to SONAR-1378

Antonio.

Show
Antonio Manuel Muñiz Martín added a comment - Hi, I think this issue is related to SONAR-1378 Antonio.
Hide
Permalink
Dominik Bartholdi added a comment -

2.15? - that's sad, because we can't use all these plugins until then anymore...

Show
Dominik Bartholdi added a comment - 2.15? - that's sad, because we can't use all these plugins until then anymore...
Hide
Permalink
Freddy Mallet added a comment -

Manually tested

Show
Freddy Mallet added a comment - Manually tested
Hide
Permalink
Simon Brandhof added a comment -

Integration test added

Show
Simon Brandhof added a comment - Integration test added

People

  • Assignee:
    Simon Brandhof
    Reporter:
    Dominik Bartholdi
Vote (0)
Watch (0)

Dates

  • Created:
    Updated:
    Resolved: