Qualys QID 86728 - Web Server Uses Plain-Text Form Based Authentication

Hi, it appears we are getting a vulnerability hit on Jenkins do to the Jenkins installation request for Unlocking Jenkins: “When you first access a new Jenkins instance, you are asked to unlock it using an automatically-generated password.” Is there a way to remove or comment this out?

Getting Started

Unlock Jenkins

To ensure Jenkins is securely set up by the administrator, a password has been written to the log (not sure where to find it?) and this file on the server:

C:\Program Files (x86)\Jenkins\secrets\initialAdminPassword

Please copy the password from either location and paste it below.

Administrator password

GET /login?next=/getting-started?next%3D/ HTTP/1.0

I believe it only does that if no users are defined. You can use something like https://plugins.jenkins.io/configuration-as-code/ to auto configure it, or have a $JENKINS_HOME mounted that has existing config files/users. You can disable the first run wizard, but without having something configured, i’m not sure how you’d get into your installation.