- Description: An attacker gains access to the Jenkins master using default or easily guessable credentials (e.g., "admin/admin"). They might use brute-force attacks or credential stuffing, targeting the Jenkins login page.
- Impact: Complete control over the Jenkins master, including job execution, configuration modification, credential access, and potential compromise of connected systems via configured integrations.
- Affected Component: Jenkins Web UI, Authentication system (specifically, the built-in user database if not using an external provider like LDAP).
- Risk Severity: Critical
- Mitigation Strategies:
- Change Default Credentials: Immediately change the default administrator password upon installation.
- Strong Password Policy: Enforce a strong password policy for all Jenkins users.
- Disable Default Admin Account: If possible, disable the default "admin" account and create named administrator accounts.
- Multi-Factor Authentication (MFA): Implement MFA for all users, especially administrators.
- External Authentication: Integrate with an external identity provider (LDAP, Active Directory, SSO).
- Description: An attacker exploits a known vulnerability in a Jenkins plugin to execute arbitrary code on the Jenkins master or a connected agent. They might leverage publicly available exploit code or develop their own, targeting a specific vulnerable plugin version.
- Impact: Remote code execution (RCE) on the Jenkins master or agent, leading to complete system compromise, data exfiltration, and potential lateral movement within the network.
- Affected Component: The vulnerable plugin (specific to the vulnerability), potentially affecting the Jenkins core (
hudson.model.Hudson) if the plugin has high privileges. Could involve specific plugin classes or functionalities. - Risk Severity: Critical (if RCE is possible), High (if limited code execution or data access, but still significant)
- Mitigation Strategies:
- Keep Plugins Updated: Regularly update all plugins to the latest versions, prioritizing security updates.
- Vulnerability Scanning: Use a vulnerability scanner that specifically checks for known Jenkins plugin vulnerabilities and integrates with the Jenkins update center.
- Plugin Vetting: Carefully evaluate plugins before installation, considering their security history, update frequency, and community support.
- Remove Unused Plugins: Uninstall any plugins that are not actively used to reduce the attack surface.
- Monitor Security Advisories: Subscribe to Jenkins security advisories and plugin-specific security mailing lists or RSS feeds.
- Description: An attacker compromises a Jenkins agent (build node) and uses it to escalate privileges and compromise the Jenkins master. This might involve exploiting vulnerabilities in the agent software, leveraging weak agent credentials, or exploiting misconfigured communication channels.
- Impact: Complete control over the Jenkins master, similar to direct unauthorized access, potentially leading to widespread system compromise.
- Affected Component: Jenkins agent software (e.g.,
agent.jar), communication protocols between master and agent (e.g., JNLP, SSH), potentially thehudson.remoting.Channelclass. - Risk Severity: High
- Mitigation Strategies:
- Secure Agent Communication: Use secure communication protocols (e.g., JNLP over TLS, SSH with strong key exchange algorithms) between the master and agents.
- Agent Hardening: Apply security patches and harden the operating system of agent machines, treating them with the same security rigor as the master.
- Agent Isolation: Use separate agents for different projects or environments to limit the impact of a single agent compromise. Consider containerized agents (Docker) for improved isolation.
- Least Privilege (Agent): Run agent processes with the minimum necessary privileges on the agent machine.
- Network Segmentation: Isolate agents on a separate network from the master, restricting network access.
- Description: An attacker with permission to modify build configurations or create/modify Pipeline scripts injects malicious Groovy code that executes with elevated privileges on the Jenkins master. This bypasses intended security restrictions.
- Impact: Remote code execution (RCE) on the Jenkins master, leading to complete system compromise and potential data breaches.
- Affected Component: Groovy scripting engine (
groovy.lang.GroovyShell), Script Security Plugin (if bypassed, disabled, or misconfigured),WorkflowScript(Pipeline script execution context). - Risk Severity: High
- Mitigation Strategies:
- Script Security Plugin: Use the Script Security Plugin to control which Groovy scripts can be executed and by whom. Enforce strict approval workflows.
- Script Approval: Require manual approval for Pipeline scripts that use potentially dangerous features or access sensitive resources.
- Groovy Sandbox: Utilize the Groovy sandbox provided by the Script Security Plugin to restrict the capabilities of scripts. Carefully configure the sandbox to allow necessary functionality while preventing malicious actions.
- Code Review: Thoroughly review all Groovy scripts for security vulnerabilities and potential bypasses of the sandbox before deployment.
- Limit Scripting: Minimize the use of complex Groovy scripts where possible. Prefer declarative Pipeline syntax over scripted Pipeline syntax to reduce the attack surface.
- Description: An attacker gains access to the artifact repository and modifies build artifacts after they are created, injecting malicious code.
- Impact: Deployment of compromised software, security vulnerabilities in production systems.
- Affected Component: Artifact storage mechanism (e.g., Jenkins built-in artifact repository, external repository like Artifactory or Nexus), potentially the
ArtifactManagerin Jenkins. - Risk Severity: High
- Mitigation Strategies: * Artifact Integrity Checks: Use checksums (e.g., SHA-256) to verify the integrity of build artifacts. * Digital Signatures: Digitally sign build artifacts to ensure authenticity. * Secure Artifact Storage: Store build artifacts in a secure repository with access controls and audit logging. * Immutable Artifacts: Treat build artifacts as immutable.