Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-32442

Disable Jenkins API tokens by default

    Details

    • Similar Issues:

      Description

      Submitting as delegate for a Cisco pen-testing team
      This is an enhancement to improve the security posture of the default Jenkins install.

      Headline: Disable Jenkins API tokens by default
      Platforms: Jenkins
      Versions: 1.622
      CWE Tags: CWE-671, CWE-424

      Jenkins allows users to authenticate via multiple mechanisms, including an
      automatically generated API token. Despite the name, the API token provides
      users with a fully authenticated session (the same as if the user had logged in
      using a password).

      In many common usage scenarios, a user may never require an API token. For
      example, a user who exclusively accesses Jenkins via the web-based UI will never
      use an API token. Although probably less common, a user who exclusively
      utilizes the SSH-based Jenkins CLI will also never use an API token.

      In scenarios such as these, the existence of an active API token serves no
      purpose to the user and represents a weakness in that it broadens the overall
      attack surface. For this reason, API tokens should not be generated for users
      unless they explicitly request a token. Furthermore, individual users should
      have the ability to remove/disable existing API tokens. Lastly, Jenkins
      administrators should be able to remove a user's API token (e.g. if the token
      has been compromised) and disable the usage of API tokens system-wide.

      References:
      http://cwe.mitre.org/data/definitions/424.html
      http://cwe.mitre.org/data/definitions/671.html

        Attachments

          Issue Links

            Activity

            crlorent Craig Lorentzen created issue -
            danielbeck Daniel Beck made changes -
            Field Original Value New Value
            Project Security Issues [ 10180 ] Jenkins [ 10172 ]
            Key SECURITY-239 JENKINS-32442
            Workflow Security v1.2 [ 168063 ] JNJira [ 168063 ]
            Status Untriaged [ 10001 ] Open [ 1 ]
            Component/s core [ 15593 ]
            Component/s core [ 15738 ]
            danielbeck Daniel Beck made changes -
            Labels security split-plugins-from-core
            rtyler R. Tyler Croy made changes -
            Workflow JNJira [ 168072 ] JNJira + In-Review [ 182953 ]
            jglick Jesse Glick made changes -
            Link This issue relates to JENKINS-32776 [ JENKINS-32776 ]
            wfollonier Wadeck Follonier made changes -
            Status Open [ 1 ] In Progress [ 3 ]
            wfollonier Wadeck Follonier made changes -
            Remote Link This issue links to "#3271 core (Web Link)" [ 20059 ]
            wfollonier Wadeck Follonier made changes -
            Link This issue relates to JENKINS-52161 [ JENKINS-52161 ]
            wfollonier Wadeck Follonier made changes -
            Status In Progress [ 3 ] Resolved [ 5 ]
            Assignee Wadeck Follonier [ wfollonier ]
            Resolution Fixed [ 1 ]

              People

              • Assignee:
                wfollonier Wadeck Follonier
                Reporter:
                crlorent Craig Lorentzen
              • Votes:
                2 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: