Jenkins open people list
Description
Jenkins is an automation server commonly used for continuous integration and deployment pipelines.
The /asynchPeople endpoint is publicly accessible without authentication and exposes a list of all Jenkins users registered on the system. This information disclosure occurs due to insufficient access controls on this administrative endpoint.
Remediation
Restrict access to the /asynchPeople endpoint by implementing proper authentication and authorization controls.
1. Enable Jenkins security if not already configured by navigating to Manage Jenkins > Configure Global Security
2. Ensure "Authorization" is set to a restrictive strategy such as "Matrix-based security" or "Project-based Matrix Authorization Strategy"
3. Configure the authorization matrix to limit access to administrative endpoints to authenticated users with appropriate permissions
4. Consider using the "Strict Crumb Issuer" to prevent CSRF attacks
5. Regularly audit user permissions and remove inactive accounts
For additional hardening, consider implementing reverse proxy rules to block unauthenticated access to sensitive endpoints or use Jenkins security plugins to enforce stricter access controls.