Jenkins avoids disaster after partial loss of user database

Jenkins avoids disaster after partial loss of user database Cybersecurity

The developers of the open source automation server Jenkins said they had successfully recovered their infrastructure after a partial loss of the user database.

The incident took place last week, June 2, and caused the Jenkins Artifactory portal to crash – used by Jenkins plugin developers to download and manage plugin artifacts.

The Jenkins team said that an error in a Kubernetes system forced them to rebuild parts of the Artifactory portal from scratch.

During this rebuilding process, the team said they lost three months of changes to the LDAP database, including details about the user accounts used by Jenkins plugin developers.

“Our corporate account (42Crunch) is one of the accounts that has been deleted,” said Dmitry Sotnikov (, product manager at 42Crunch, at ZDNet in an interview yesterday.

Sotnikov said he followed the instructions of the Jenkins team and re-registered their old account.

“Once we did, we found that this new account automatically obtained the access and permissions that the old, deleted account had – including full ownership of our Jenkins extension in the market.

“It means someone could have dubbed us and registered an account with a name identical to ours, and then pushed a malicious update to users on our behalf,” said Sotnikov.

Mr. Sotnikov also raised the issue with Jenkins staff on their Google Groups discussion forum.

Following the discovery of the director of 42Crunch, the Jenkins team blocked all loading of new artifacts on the Jenkins Artifactory portal in order to prevent malicious actors from taking advantage of this flaw and replacing plugin artifacts (files) with versions malicious.

No signs of malicious activity

The Jenkins team also performed a security audit. The developers said they looked at all of the artifact downloads between June 2 (the outage) and June 9, when the issue was brought to their attention and found no suspicious downloads.

Jenkins Developers Said If A Malicious Actor Could Download New Artifacts, The Real Risk Of Delivering Malicious Plugin Remains Low As Attackers Also Should Have Hijacked User Plugin Account At The Same Time As Jenkins Account Artifactory.

Jenkins developers are preparing to reveal the incident to all Artifactory users who had their accounts deleted during the June 2 blackout, and are implementing additional verification measures to prevent any attempts to hijack accounts by unauthorized third parties.


Rate article
Add comment