When you apt-get install jenkins from the upstream repo, it starts listening on all interfaces with no security configured right from the post-inst script, which allows remote code execution if somebody accesses it before the admin can configure some security.

The version of Jenkins packages in Ubuntu ships a config file that binds to localhost-only by default, mitigating this issue.