While login through Jenkins, the application layer password encryption is not in place, resulting the vulnerabilities of password disclosure.
Even if, the SSL is in place, SSL will encrypt the password after proxy only, hence allowing users at proxy to intercept communication and disclose password.
Please provide a solution for the same.
The default user implemention is kinda designed as a reference. You probably want to use something like ldap or oidc or saml or any other implemention
Even if LDAP implementation is there, the username and password entered at user’s browser will transmit in plain text (at least up to proxy).
TLS implementation will encrypt the password once it leaves the proxy/network. A man in the middle (on or before proxy) attacker will be able to see the password.
Cool, well I recommend you:
- use a dedicated system like okta, keycloeak, or authentik that will let you auth with systems designed for security.
- If that doesn’t work for you, then your option goes to using TLS
- If that doesn’t provide enough for you, then you can submit a pull request with updates required, and/or pay a contractor to implement the feature for you.