Products
Contrast Application Detection and Response (ADR)

Contrast Application and API Security Testing (AST)

Contrast One^TM

Contrast Runtime Security Platform

Contrast Protect (RASP)

Contrast Assess (IAST/DAST)

Contrast Scan (SAST)

Contrast Software Composition Analysis (SCA)
Developer Central

Log4j Response

Pricing

How We Compare

Languages

Integrations
Solutions
BY USE CASE

Why IAST?

DevSecOps

Automated Penetration Testing

AppSec Monitoring

API Security

Software Supply Chain Security

Runtime Protection

Software Bills of Materials (SBOMs)

GitHub CI/CD

Compliance Testing

Services

BY DEPARTMENT

Dev and DevOps Teams

Security

DevSecOps

CISO

BY INDUSTRY

Government

Financial Services

Healthcare

Others
Partner
Technology Partners

Systems Integrators

Ecosystem Integrations

Managed Security Services Providers

Channel Partners Overview

Cloud Partners

GitHub
Partner Program Overview

Become a Partner

Find a Partner

Visit Partner Portal
GITHUB ACTIONS BLOG SERIES, PART 1: PIPELINE NATIVE CODE ANALYSIS

Read the Blog
Customers
Company
About Us

Leadership Team

Culture & Careers

Women of Contrast

Contact Us
Blog

Events & Webinars

Newsroom

Podcast

Awards
Contrast Security recognized as a Visionary by Gartner in Application Security Testing.

Learn More
Resources
Contrast for Developers

Contrast Secure Code Learn Hub

Contrast Community

Resource Center

OWASP Top 10

Accountability & Transparency

SBOMs

ContrastLive

Support

Services

Trust Center

Documentation

Product Release Notes

Blog

Podcast

Events

Glossary
Contrast Incident Response Hub

Spring4Shell Vulnerability

Log4j Vulnerability

Weekly CISO Update

Trust Center
Developers

Contrast Labs: Jenkins Maven HPI Plugin Exposes Developer Laptops

March 9, 2020

If you are like the development team at Contrast Security and build Jenkins plugins, then you probably find value in the maven-hpi-plugin. The Jenkins Maven HPI Plugin hpi:run target initializes a local Jetty HTTP server with the current plugin project for development testing. This enables plugin developers to quickly prototype and test without deploying plugins to a separately managed instance.

However, during a penetration test, we found this exposes the Jenkins web application on all interfaces with no authentication by default. Any adversary on the same network can access the script console and compromise the running machine.

jenkins-maven-HPI

Jenkins Script Console Command Execution

Ideally, the plugin should configure Jetty to listen on localhost only by default, and provide configuration options and documentation in the event a user wants external hosts to access the Jenkins instance. Contrast Labs reported this issue to the Jenkins team since no configuration option was available to disable listening on all interfaces.

No CVE or formal notice was created since this issue only affects developers and not users. Starting in Jenkins 2.223, the plugin should only listen on the loopback interface (localhost) by default, unless the configuration option -Dhost=0.0.0.0 is specified.

11/18/2019: Issue reported to Jenkins (SECURITY-1667)
2/13/2020: Follow up with Jenkins
3/4/2020: Notice sent to DEV mailing list

DevOps

Contrast Marketing

AppSec Instrumentation Addresses AppSec Skills Shortage

Security Concerns Remain with Containers and Kubernetes Per New Report

BY USE CASE

BY DEPARTMENT

BY INDUSTRY

GITHUB ACTIONS BLOG SERIES, PART 1: PIPELINE NATIVE CODE ANALYSIS

Contrast Security recognized as a Visionary by Gartner in Application Security Testing.

Contrast Incident Response Hub

Contrast Labs: Jenkins Maven HPI Plugin Exposes Developer Laptops

Contrast Marketing

Loving our content? Subscribe now!