GitHub Pull Request Builder 1.40.0: GitHub access tokens stored in in build.xml

Question

GitHub Pull Request Builder 1.40.0: GitHub access tokens stored in in build.xml

gmacario opened this issue 6 years ago · 1 comments

As displayed after a scratch installation of easy-jenkins master (8af0182)

Answer 1 · 2018-04-03T09:56:54.000Z

From https://jenkins.io/security/advisory/2018-03-26/#SECURITY-261

SECURITY-261

GitHub Pull Request Builder Plugin stored serialized objects in build.xml files that contained the credential used to poll Jenkins. This can be used by users with master file system access to obtain GitHub credentials.

Since 1.40.0, the plugin no longer stores serialized objects containing the credential on disk.

Builds started before the plugin was updated to 1.40.0 will retain the encoded credentials on disk. We strongly recommend revoking old GitHub credentials used in Jenkins. We’re providing a script for use in the Script Console that will attempt to remove old stored credentials from build.xml files.