Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-30107

Login Credentials Brute Force

XMLWordPrintable

    • Icon: Improvement Improvement
    • Resolution: Unresolved
    • Icon: Major Major
    • core
    • Ubuntu Server 12.04 64 bits

      When using Jenkins own user database, both in the Web Login and using the API calls, there is no lockout or IP blocking, captcha or similar protection. Therefore, an attacker can launch an unlimited brute force attack against the system to try and find usernames and passwords.

      Some protection must be placed to prevent the attacker from trying unlimited guesses against the username/password and the API auth values (project's token and user's token).

      Tested on version 1.514.

            Unassigned Unassigned
            adrianbn Adrian Bravo
            Votes:
            1 Vote for this issue
            Watchers:
            7 Start watching this issue

              Created:
              Updated: