Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS03eHA4LTd3cXgtNWhxeM4AAjcV
Jenkins REST APIs vulnerable to clickjacking
Jenkins 2.218 and earlier, LTS 2.204.1 and earlier does not serve the X-Frame-Options: deny HTTP header on REST API responses to protect against clickjacking attacks. An attacker could exploit this by routing the victim through a specially crafted web page that embeds a REST API endpoint in an iframe and tricking the user into performing an action which would allow for the attacker to learn the content of that REST API endpoint.
Jenkins 2.219, LTS 2.204.2 now adds the X-Frame-Options: deny HTTP header to REST API responses, which prevents these types of clickjacking attacks.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS03eHA4LTd3cXgtNWhxeM4AAjcV
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: almost 2 years ago
Updated: 5 months ago
CVSS Score: 3.1
CVSS vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
Identifiers: GHSA-7xp8-7wqx-5hqx, CVE-2020-2105
References:
- https://nvd.nist.gov/vuln/detail/CVE-2020-2105
- https://access.redhat.com/errata/RHBA-2020:0402
- https://access.redhat.com/errata/RHBA-2020:0675
- https://access.redhat.com/errata/RHSA-2020:0681
- https://access.redhat.com/errata/RHSA-2020:0683
- https://jenkins.io/security/advisory/2020-01-29/#SECURITY-1704
- http://www.openwall.com/lists/oss-security/2020/01/29/1
- https://github.com/jenkinsci/jenkins/commit/639ade55caa05324c60d15b2fa8df27ee0111b76
- https://github.com/advisories/GHSA-7xp8-7wqx-5hqx
Blast Radius: 1.0
Affected Packages
maven:org.jenkins-ci.main:jenkins-core
Affected Version Ranges: >= 2.205, <= 2.218, <= 2.204.1Fixed in: 2.219, 2.204.2