Jenkins open user registration
Description
Jenkins is an open-source automation server widely used for continuous integration and continuous delivery (CI/CD) workflows.
This vulnerability occurs when Jenkins is configured with open user registration enabled, allowing any unauthenticated user to create an account and gain access to the Jenkins dashboard without administrator approval. This misconfiguration exposes the Jenkins instance to unauthorized access.
Remediation
Disable open user registration in Jenkins and implement a controlled user management process:
1. Navigate to 'Manage Jenkins' > 'Configure Global Security'
2. Under 'Security Realm', if using Jenkins' own user database, uncheck the option 'Allow users to sign up'
3. Configure an appropriate authorization strategy (e.g., 'Matrix-based security' or 'Project-based Matrix Authorization Strategy') to restrict access to authorized users only
4. Review existing user accounts and remove any unauthorized or suspicious accounts
5. Consider integrating with an enterprise identity provider (LDAP, Active Directory, SAML) for centralized user management
6. Regularly audit user permissions and access logs to detect unauthorized access attempts