- The server contained source code, passwords, configuration details, and other sensitive information related to GE Aviation’s internal infrastructure.
- It was one of the 5,495 publicly available Jenkins instances as indexed by Shodan.
A publicly available Jenkins server of GE Aviation was found spilling sensitive data out in the open. Security researcher Bob Diachenko came across this exposed server during a search for open Jenkins instances on the Shodan search engine. The server is believed to be part of GE Aviation’s internal, commercial infrastructure. In the search which was done for a span of one month, Diachenko came across 5,495 open Jenkins instances on Shodan.
GE Aviation is a subsidiary of GE and is one of the top aircraft engine suppliers in the world.
- A ‘Readme’ file encountered by Diachenko described the nature and sensitivity of the files in the exposed server.
- It contained source code, passwords in plaintext, configuration details, private keys related to GE Aviation’s infrastructure.
- After contacting GE Aviation, the Jenkins server was taken down immediately by the company’s security team.
- GE Aviation said that the exposed server was the result of a DNS misconfiguration.
What was the response?
The GE team classified this incident as a medium-risk vulnerability even though it involved sensitive information.
“Plaintext usernames and passwords were exposed on this server, but these credentials mapped to applications only accessible from our internal network, and no customer data, nor any significant GE data, was impacted,” GE stated in an explanation to Diachenko.
“Furthermore, even if a malicious actor were to have acquired these credentials, they would also need access to our internal environment to exploit them,” the company added.