Reminder: Enable CSRF Protection for Jenkins

Skip to first unread message

Daniel Beck

Apr 15, 2016, 6:21:48 PM4/15/16
to Jenkins Advisories
We have received reports of attacks targeting Jenkins installations that do not have cross-site request forgery[1] (CSRF) protection enabled (which is the default on Jenkins 1.x). This is dangerous because it makes your Jenkins vulnerable to targeted attacks even if Jenkins is behind a firewall or on a private network, through specially crafted links sent via email, or other mediums, to unsuspecting users.

This is a reminder that you should enable this feature in your Jenkins instance, even if your instance if not directly exposed to the internet. See the Jenkins wiki[2] for more details about this feature. This is also a good opportunity to take a look again at the "Secure Jenkins" wiki page[3] which discusses various security-related topics, including this one.

If you come across malware that's exploiting Jenkins or find vulnerabilities, please report them by following the responsible disclosure process outlined on[4]. This allows us to resolve those issues before the method of attack becomes publicly known.


Reply all
Reply to author
0 new messages