[MAVEN:GHSA-7XP8-7WQX-5HQX] Jenkins REST APIs vulnerable to clickjacking

Severity Low

Affected Packages 2

Fixed Packages 2

CVEs 1

Jenkins 2.218 and earlier, LTS 2.204.1 and earlier does not serve the X-Frame-Options: deny HTTP header on REST API responses to protect against clickjacking attacks. An attacker could exploit this by routing the victim through a specially crafted web page that embeds a REST API endpoint in an iframe and tricking the user into performing an action which would allow for the attacker to learn the content of that REST API endpoint.

Jenkins 2.219, LTS 2.204.2 now adds the X-Frame-Options: deny HTTP header to REST API responses, which prevents these types of clickjacking attacks.

Package	Affected Version
pkg:maven/org.jenkins-ci.main/jenkins-core	>= 2.205, <= 2.218
pkg:maven/org.jenkins-ci.main/jenkins-core	<= 2.204.1

Package	Fixed Version
pkg:maven/org.jenkins-ci.main/jenkins-core	= 2.219
pkg:maven/org.jenkins-ci.main/jenkins-core	= 2.204.2

ID

MAVEN:GHSA-7XP8-7WQX-5HQX

Severity

low

URL

https://github.com/advisories/GHSA-7xp8-7wqx-5hqx

Published

2022-05-24T17:07:41
(2 years ago)

Modified

2023-12-13T12:11:30
(9 months ago)

Rights

Maven Security Team

Other Advisories

Source	# ID	Name	URL
			https://nvd.nist.gov/vuln/detail/CVE-2020-2105
			https://access.redhat.com/errata/RHBA-2020:0402
			https://access.redhat.com/errata/RHBA-2020:0675
			https://access.redhat.com/errata/RHSA-2020:0681
			https://access.redhat.com/errata/RHSA-2020:0683
			https://jenkins.io/security/advisory/2020-01-29/#SECURITY-1704
			http://www.openwall.com/lists/oss-security/2020/01/29/1
			https://github.com/jenkinsci/jenkins/commit/639ade55caa05324c60d15b2fa8df27ee0111b76
			https://github.com/advisories/GHSA-7xp8-7wqx-5hqx

Type	Package URL	Namespace	Name / Product	Version
Affected	pkg:maven/org.jenkins-ci.main/jenkins-core	org.jenkins-ci.main	jenkins-core	>= 2.205 <= 2.218
Fixed	pkg:maven/org.jenkins-ci.main/jenkins-core	org.jenkins-ci.main	jenkins-core	= 2.219
Affected	pkg:maven/org.jenkins-ci.main/jenkins-core	org.jenkins-ci.main	jenkins-core	<= 2.204.1
Fixed	pkg:maven/org.jenkins-ci.main/jenkins-core	org.jenkins-ci.main	jenkins-core	= 2.204.2

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date