Jenkins weak password
Description
Jenkins is a widely-used automation server for continuous integration and continuous delivery (CI/CD) workflows. This vulnerability indicates that the Jenkins instance is protected by weak or easily guessable credentials that can be compromised through dictionary-based or brute force attacks.
The scanner successfully authenticated to the Jenkins interface using common or default username and password combinations, demonstrating that the current authentication mechanism does not enforce adequate password complexity requirements.
Remediation
Immediately change all weak passwords on the Jenkins instance and implement a strong password policy with the following requirements:
1. Update Credentials: Change the identified weak credentials immediately. Use passwords that are at least 12 characters long and include a mix of uppercase letters, lowercase letters, numbers, and special characters.
2. Enable Jenkins Security Realm: Configure Jenkins to use a secure authentication mechanism. Navigate to Manage Jenkins > Configure Global Security and select an appropriate security realm (e.g., Jenkins' own user database with password policy enforcement, LDAP, or Active Directory).
3. Enforce Password Complexity: Install and configure the "Password Policy Plugin" or similar security plugins to enforce minimum password requirements and prevent the use of common passwords.
4. Implement Multi-Factor Authentication (MFA): Enable MFA for all Jenkins users, especially administrators, to add an additional layer of security beyond passwords.
5. Regular Security Audits: Periodically review user accounts, remove inactive users, and audit access permissions following the principle of least privilege.
6. Disable Default Accounts: Remove or disable any default administrative accounts if they exist.