Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I receive vulnerability notifications for Jenkins, pretty much regularly... mostly XSS and RCE.

https://www.cvedetails.com/vulnerability-list/vendor_id-1586...

I'm just waiting for Apache to adopt it, and then it'll sit and fester like everything else in the Apache graveyard, full of vulnerabilities and slowly decaying.

Those are just Jenkins core exploits too... there are so many many more for Jenkins plugins.... https://www.cvedetails.com/vulnerability-list/vendor_id-1586...



Jenkins is now part of the CD Foundation (https://cd.foundation/) which is one of the linux foundation sub-foundations. Don't expect it to show up in the apache foundation.


I don't think tinix was excpeting it to literally become a apache project - he was just saying its in a state of decay that apache is infamous for.


Last place I was at had their unmanaged Jenkins servers get compromised and used to run crypto miners.


Were they using an older version of Jenkins on the public internet? There's been a randomized GUID applied to the initial Jenkins admin password, which you can only access if you have direct access to the Jenkins install. I think this was added in 2016.


It was an older version with a vulnerability but as far as I know not a default password.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: