Open Signups
Description:
In case signups are not turned off, any user can create an account on the Jenkins instance and gain (privileged) access to (internal) developer resources.
Testing:
Navigate to one of the following app routes and check if signups are enabled:
Remediation:
Make sure to disable signups for Jenkins. You can easily do so by:
Navigate to Configure Global Security page over at
/configureSecurity
And make sure that the option Allow users to signup is disabled
Finally, Apply and Save your changes
Potential Impact:
Unauthorized users are able to create an account, this often introduces no potential risk. However, if the in-app permissions are not set and give newly signed up users too much privileges, it could result in a new attack vector. This could introduce several new security anomalies to your company (especially code execution as Jenkins CI/CD tool).
References:
Last updated