Automate Recon and scanning process with Vidoc. All security teams in one place
By kannthu
The "Jenkins Open User registration" module is designed to detect a misconfiguration in the Jenkins software. It targets the Jenkins application, which is an open-source automation server used for continuous integration and delivery of software projects. The severity of this module is classified as medium. The original author of this module is DhiyaneshDk.
If the Jenkins Open User registration is misconfigured, it allows unauthorized users to register and access the Jenkins dashboard. This can lead to potential security risks, as unauthorized users may gain unauthorized access to sensitive information or perform malicious activities within the Jenkins environment.
The module works by sending a GET request to the "/signup" path of the Jenkins application. It then applies several matching conditions to determine if the registration page is accessible:
- The response body must contain the phrase "Create an account! [Jenkins]". - The response header must include the content type "text/html". - The response status code must be 200 (OK).If all of these conditions are met, the module identifies the misconfiguration and reports it as a vulnerability.
For example, the module sends a GET request to "/signup" and expects a response with a status code of 200, a content type of "text/html", and the phrase "Create an account! [Jenkins]" in the response body.
It is recommended to turn off user registration in Jenkins to mitigate this vulnerability.
Reference: https://www.acunetix.com/vulnerabilities/web/jenkins-open-user-registration/