Jenkins user enumeration

Description

Jenkins is an open-source automation server commonly used for continuous integration and deployment. An information disclosure vulnerability exists that allows unauthenticated users to enumerate valid Jenkins user accounts by accessing the /securityRealm/user/admin/search/index?q= endpoint. This endpoint returns a list of all registered users in the Jenkins instance without requiring authentication, exposing the organization's user base to potential attackers.

Remediation

Restrict access to the user enumeration endpoint by implementing authentication and authorization controls. Configure Jenkins security settings to require authentication for all endpoints by navigating to Manage Jenkins > Configure Global Security and ensuring that the security realm is properly configured with "Logged-in users can do anything" disabled in favor of matrix-based or project-based security. Additionally, consider implementing the following measures:

1. Enable Jenkins' built-in authorization strategy (Matrix-based security) and explicitly deny anonymous access to user-related endpoints
2. Use a reverse proxy (such as nginx or Apache) to block access to sensitive endpoints like /securityRealm/* for unauthenticated requests
3. Regularly audit user accounts and remove inactive or unnecessary accounts to minimize exposure
4. Implement rate limiting and monitoring for authentication-related endpoints to detect enumeration attempts
5. Keep Jenkins updated to the latest version, as newer releases may include additional security controls for this issue

References

Related Vulnerabilities