H3-2022-0033¶

Unauthenticated Access to Jenkins People Directory

Description¶

The Jenkins People Directory requires no authentication.

Impact¶

An unauthenticated attacker can use the data available on this page to compile a list of known users to conduct further credential attacks with. Jenkins applications are likely targets of attackers due to the abundance of information and credentials stored on it.

References¶

• Managing Security
• Access granted with Overall/Read
• MITRE ATT&CK Technique: T1087: Account Discovery