Jenkins unauthorized access vulnerability
Jenkins is a popular software project management platform. With default configurations, Jenkins allows everyone to access all pages on it. By exploiting the scripts page on Jenkins, attackers can run system commands and gain server permissions to intrude the server and cause security issues such as data leakage.
Condition and method of exploitation
Hackers can exploit the vulnerability on the Internet to gain server permissions remotely.
How to fix or mitigate
Add the access password on the Jenkins management page. We recommend that you add a strong password that consists of more than 10 characters including digits, letters, and special characters.
Do not open the management backend to the Internet. You can use the ECS security group policy to configure access control. The default policy refuses all communication requests. You can only open services that need to be provided to external users, and control the access to source IP addresses.
Note: To avoid data loss, create backups or an ECS disk snapshot before the upgrade.