edit-icon download-icon

[Vulnerability notice] Unauthorized access vulnerability in Jenkins

Last Updated: Apr 02, 2018

CVE identifier

None

Vulnerability name

Jenkins unauthorized access vulnerability

Vulnerability rating

High

Vulnerability description

Jenkins is a popular software project management platform. With default configurations, Jenkins allows everyone to access all pages on it. By exploiting the scripts page on Jenkins, attackers can run system commands and gain server permissions to intrude the server and cause security issues such as data leakage.

Condition and method of exploitation

Hackers can exploit the vulnerability on the Internet to gain server permissions remotely.

How to fix or mitigate

  • Add the access password on the Jenkins management page. We recommend that you add a strong password that consists of more than 10 characters including digits, letters, and special characters.

  • Do not open the management backend to the Internet. You can use the ECS security group policy to configure access control. The default policy refuses all communication requests. You can only open services that need to be provided to external users, and control the access to source IP addresses.

Note: To avoid data loss, create backups or an ECS disk snapshot before the upgrade.

Thank you! We've received your feedback.