Jenkins before LTS version 2.121.3 and weekly version 2.138 allow unauthorized users to access agent logs. Users with Overall/Read permission were able to access the URL serving agent logs on the UI due to a lack of permission checks. Access to the affected URL is now limited to users with the correct Agent/Connect permission. External Reference: https://jenkins.io/security/advisory/2018-08-15/#SECURITY-1071
Created jenkins tracking bugs for this issue: Affects: fedora-all [bug 1620352]
Upstream commit: https://github.com/jenkinsci/jenkins/commit/6867e4469525d16319b1bae9c840b933fe4e23c4
By default Jenkins doesn't setup users without the Agent/Connect permission. It's possible to setup such users but it's best not to rely on Agent/Connect permission to prevent access to agent logs because of this issue on OpenShift Container Platform 3.10 and earlier. Upgrade to OpenShift Container Platform 3.11 to pick up a fix for this issue.