H3-2022-0071¶

Jenkins Self-Signup Enabled

Description¶

The Jenkins instance permits anyone to create an account and log in to the Jenkins server.

Impact¶

An attacker can abuse Jenkins self-signup to potentially access sensitive information such as passwords, private keys, and tokens. Attackers may be able to perform sensitive actions depending on the configuration of the server.

References¶

• Researchers found misconfigured Jenkins servers leaking sensitive data
• CWE-306: Missing Authentication for Critical Function