This advisory announces a vulnerability in Jenkins.
Updated 2017-09-28: Clarified which options are disabled by default. Clarified that it affects only instances that originally installed 2.80.
Jenkins 2.80 did not correctly initialize the setup wizard on the first startup. This resulted in the following security settings not being set to the usual strict default:
No security realm was defined, and no
admin user was created whose password was written to the Jenkins log or the
The authorization strategy remained Anyone can do anything rather than Logged-in users can do anything.
TCP port for JNLP agents, usually disabled by default, was open, unless a Java system property controlling it was set.
CLI over Remoting was enabled.
CSRF Protection was disabled.
Agent → Master Access Control was disabled.
Affected instances need to be configured to restrict access.
Jenkins instances upgraded from 2.79 or earlier to 2.80 without completing the setup wizard will no longer show the setup wizard, but are locked and need the initial administrator password to unlock.