Submitting as delegate for a Cisco pen-testing team
This is an enhancement to improve the security posture of the default Jenkins install.
Headline: Disable Jenkins API tokens by default
Platforms:Jenkins
Versions: 1.622
CWE Tags: CWE-671, CWE-424
Jenkins allows users to authenticate via multiple mechanisms, including an
automatically generated API token. Despite the name, the API token provides
users with a fully authenticated session (the same as if the user had logged in
using a password).
In many common usage scenarios, a user may never require an API token. For
example, a user who exclusively accesses Jenkins via the web-based UI will never
use an API token. Although probably less common, a user who exclusively
utilizes the SSH-based Jenkins CLI will also never use an API token.
In scenarios such as these, the existence of an active API token serves no
purpose to the user and represents a weakness in that it broadens the overall
attack surface. For this reason, API tokens should not be generated for users
unless they explicitly request a token. Furthermore, individual users should
have the ability to remove/disable existing API tokens. Lastly, Jenkins
administrators should be able to remove a user's API token (e.g. if the token
has been compromised) and disable the usage of API tokens system-wide.
References:
http://cwe.mitre.org/data/definitions/424.html
http://cwe.mitre.org/data/definitions/671.html
Originally reported by crlorent, imported from: Disable Jenkins API tokens by default
- assignee:
wfollonier
- status: Resolved
- priority: Minor
- component(s): core
- label(s): security, split-plugins-from-core
- resolution: Fixed
- resolved: 2018-06-26T11:09:39+00:00
- votes: 2
- watchers: 4
- imported: 2025-11-24
Raw content of original issue
Submitting as delegate for a Cisco pen-testing team
This is an enhancement to improve the security posture of the default Jenkins install.
Headline: Disable Jenkins API tokens by default
Platforms: Jenkins
Versions: 1.622
CWE Tags: CWE-671, CWE-424
Jenkins allows users to authenticate via multiple mechanisms, including an
automatically generated API token. Despite the name, the API token provides
users with a fully authenticated session (the same as if the user had logged in
using a password).
In many common usage scenarios, a user may never require an API token. For
example, a user who exclusively accesses Jenkins via the web-based UI will never
use an API token. Although probably less common, a user who exclusively
utilizes the SSH-based Jenkins CLI will also never use an API token.
In scenarios such as these, the existence of an active API token serves no
purpose to the user and represents a weakness in that it broadens the overall
attack surface. For this reason, API tokens should not be generated for users
unless they explicitly request a token. Furthermore, individual users should
have the ability to remove/disable existing API tokens. Lastly, Jenkins
administrators should be able to remove a user's API token (e.g. if the token
has been compromised) and disable the usage of API tokens system-wide.
References:
http://cwe.mitre.org/data/definitions/424.html
http://cwe.mitre.org/data/definitions/671.html
environment
Platforms: Jenkins<br/>
Versions: 1.622
Submitting as delegate for a Cisco pen-testing team
This is an enhancement to improve the security posture of the default Jenkins install.
Headline: Disable Jenkins API tokens by default
Platforms:Jenkins
Versions: 1.622
CWE Tags: CWE-671, CWE-424
Jenkins allows users to authenticate via multiple mechanisms, including an
automatically generated API token. Despite the name, the API token provides
users with a fully authenticated session (the same as if the user had logged in
using a password).
In many common usage scenarios, a user may never require an API token. For
example, a user who exclusively accesses Jenkins via the web-based UI will never
use an API token. Although probably less common, a user who exclusively
utilizes the SSH-based Jenkins CLI will also never use an API token.
In scenarios such as these, the existence of an active API token serves no
purpose to the user and represents a weakness in that it broadens the overall
attack surface. For this reason, API tokens should not be generated for users
unless they explicitly request a token. Furthermore, individual users should
have the ability to remove/disable existing API tokens. Lastly, Jenkins
administrators should be able to remove a user's API token (e.g. if the token
has been compromised) and disable the usage of API tokens system-wide.
References:
http://cwe.mitre.org/data/definitions/424.html
http://cwe.mitre.org/data/definitions/671.html
Originally reported by crlorent, imported from: Disable Jenkins API tokens by default
Raw content of original issue
environment