Open Signups

Description:

In case signups are not turned off, any user can create an account on the Jenkins instance and gain (privileged) access to (internal) developer resources.

Testing:

Navigate to one of the following app routes and check if signups are enabled:

/signup
/jenkins/signup

Remediation:

Make sure to disable signups for Jenkins. You can easily do so by:

Navigate to Configure Global Security page over at /configureSecurity
And make sure that the option Allow users to signup is disabled
Finally, Apply and Save your changes

Potential Impact:

Unauthorized users are able to create an account, this often introduces no potential risk. However, if the in-app permissions are not set and give newly signed up users too much privileges, it could result in a new attack vector. This could introduce several new security anomalies to your company (especially code execution as Jenkins CI/CD tool).

References:

https://rohit-soni.medium.com/chaining-multiple-vulnerabilities-leads-to-remote-code-execution-rce-on-paytm-e77f2fd2295e

PreviousJenkins NextPublic Groovy Script Console

Last updated 2 months ago