Thousands, if not more, Jenkins servers are vulnerable to data theft, takeover, and cryptocurrency mining attacks. This is because hackers can exploit two vulnerabilities to gain admin rights or log in using invalid credentials on these servers.
Both vulnerabilities were discovered by security researchers from CyberArk, were privately reported to the Jenkins team, and received fixes over the summer. But despite patches for both issues, there are still thousands of Jenkins servers available online.
Jenkins[1] is a web application for continuous integration[2] built in Java that allows development teams to run automated tests and commands on code repositories based on test results, and even automate the process of deploying new code to production servers.
Jenkins is a popular component in many companies' IT infrastructure and these servers are very popular with both freelancers and enterprises alike.
Two very dangerous flaws
Over the summer, CyberArk researchers discovered a vulnerability (tracked as CVE-2018-1999001[3]) that allows an attacker to provide malformed login credentials that cause Jenkins servers to move their config.xml file from the Jenkins home directory to another location.
If an attacker can cause the Jenkins server to crash and restart, or if he waits for the server to restart on its own, the Jenkins server then boots in a default configuration that features no security[4].
In this weakened setup, anyone can register on the Jenkins server and gain administrator access. With an administrator role in hand, an attacker can access private corporate source code, or even make code modifications to plant backdoors in a company's apps.
This lone issue would have been quite bad on its own, but CyberArk researchers also discovered a second Jenkins vulnerability --CVE-2018-1999043[5].