The administrative script console allows very broad access to Jenkins, and this has been a source of vulnerabilities in the past, e.g.
      https://www.rapid7.com/db/modules/exploit/multi/http/jenkins_script_console
      https://duckduckgo.com/?q=jenkins+script+console+java+execution&ia=web

      My team never uses this feature, and we'd like to reduce our attack surface by disabling the console completely, preferably from the system-level Jenkins config (/etc/sysconfig/jenkins on Linux). Is there an existing undocumented option for that? If not, will it be possible to add such an option?

      We do have mandatory auth and access control, but still would like to disable this feature.

          [JENKINS-35514] Ability to disable script console

          Oleg Nenashev added a comment -

          Theoretically it should be enough to disable the Jenkins.RUN_SCRIPTS permission in Authorization strategy, which does blocks permission inheritance. It would also block the groovy script CLI command.

          BTW I'm not sure which strategy provides such functionality

          Oleg Nenashev added a comment - Theoretically it should be enough to disable the Jenkins.RUN_SCRIPTS permission in Authorization strategy, which does blocks permission inheritance. It would also block the groovy script CLI command. BTW I'm not sure which strategy provides such functionality

          Daniel Beck added a comment -

          this has been a source of vulnerabilities in the past

          The CSRF protection option has existed for years and will have prevented those. Since Jenkins 2, it's enabled by default.

          Daniel Beck added a comment - this has been a source of vulnerabilities in the past The CSRF protection option has existed for years and will have prevented those. Since Jenkins 2, it's enabled by default.

          Daniel Beck added a comment -

          Probably a case of moving these scripting capabilities to a plugin. I think there's already an issue for it.

          Daniel Beck added a comment - Probably a case of moving these scripting capabilities to a plugin. I think there's already an issue for it.

          My original point was that even though the individual vulnerabilities or even vulnerability classes have been since fixed, the console still provides very broad privileges on the local Jenkins installation (and potentially local system, if the run-as user is misconfigured). If a particular team doesn't use the console, why should they have this potential security risk?

          Dmitry Erastov added a comment - My original point was that even though the individual vulnerabilities or even vulnerability classes have been since fixed, the console still provides very broad privileges on the local Jenkins installation (and potentially local system, if the run-as user is misconfigured). If a particular team doesn't use the console, why should they have this potential security risk?

          Daniel Beck added a comment -

          Pretty much a duplicate of JENKINS-29068 as a plugin can be disabled to remove its functionality.

          Daniel Beck added a comment - Pretty much a duplicate of JENKINS-29068 as a plugin can be disabled to remove its functionality.

            Unassigned Unassigned
            dskrvk Dmitry Erastov
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated: