A DNS misconfiguration resulted in an open Jenkins server being available to all.
A public Jenkins server owned by GE Aviation has exposed source code, plaintext passwords, global system configuration details and private keys from the company’s internal commercial infrastructure.
GE Aviation, a subsidiary of General Electrics, is among the top commercial aircraft engine suppliers, and offers various airplane components. The server also contained a ReadMe file, outlining all the files it contained and their sensitivity.
Jenkins is an open source automation server written in Java. A misconfiguration in the server’s DNS scheme, which converts human readable domain names into computer readable IP-addresses, caused the impacted server to become exposed to the open internet, according to the company.