Jenkins Accessible without Credentials

high Nessus Plugin ID 71215

Synopsis

The remote web server hosts a job scheduling / management system that is accessible without authentication.

Description

The remote web server hosts Jenkins, a job scheduling / management system and a drop-in replacement for Hudson. By allowing unauthenticated access to the application, anyone may be able to configure Jenkins and jobs, and perform builds.

Additionally, this script checks for unauthenticated access to '/scripts' as anyone with access to the script console can run arbitrary Groovy scripts on the remote host.

Solution

Refer to the Jenkins security guide for information on restricting access to Jenkins.

See Also

https://wiki.jenkins.io/display/JENKINS/Securing+Jenkins

Plugin Details

Severity: High

ID: 71215

File Name: jenkins_accessible.nasl

Version: 1.7

Type: remote

Family: CGI abuses

Published: 12/4/2013

Updated: 6/5/2024

Configuration: Enable thorough checks

Supported Sensors: Nessus

Enable CGI Scanning: true

Vulnerability Information

CPE: cpe:/a:cloudbees:jenkins

Required KB Items: www/Jenkins

Excluded KB Items: Settings/disable_cgi_scanning