Jenkins dashboard
Description
Jenkins is a widely-used continuous integration and continuous delivery (CI/CD) automation server that executes and monitors build jobs, deployments, and scheduled tasks. When the Jenkins dashboard is publicly accessible without authentication, it exposes detailed information about the organization's software development processes, infrastructure, and potentially sensitive configuration data. Unrestricted access to this interface represents an information disclosure vulnerability that can aid attackers in reconnaissance activities.
Remediation
Implement authentication and authorization controls to restrict access to the Jenkins dashboard:
1. Enable Jenkins security by navigating to 'Manage Jenkins' > 'Configure Global Security' and check 'Enable security'
2. Configure an authentication method (LDAP, Active Directory, Jenkins user database, or SAML)
3. Set the authorization strategy to 'Matrix-based security' or 'Project-based Matrix Authorization Strategy' to control user permissions
4. Ensure anonymous users have no read access by removing all permissions for the 'Anonymous' user
5. Restrict network access using firewall rules or reverse proxy authentication to limit dashboard access to trusted IP ranges or VPN connections
6. Regularly audit user permissions and remove unnecessary access rights
7. Consider using the 'Role-based Authorization Strategy' plugin for more granular access control in larger deployments