CVE-2020-2105 – org.jenkins-ci.main:jenkins-core

Package

Manager: maven
Name: org.jenkins-ci.main:jenkins-core
Vulnerable Version: >=0 <2.204.2 || >=2.205 <2.219

Severity

Level: Low

CVSS v3.1: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00533 pctl0.66406

Details

Jenkins REST APIs vulnerable to clickjacking Jenkins 2.218 and earlier, LTS 2.204.1 and earlier does not serve the `X-Frame-Options: deny` HTTP header on REST API responses to protect against clickjacking attacks. An attacker could exploit this by routing the victim through a specially crafted web page that embeds a REST API endpoint in an iframe and tricking the user into performing an action which would allow for the attacker to learn the content of that REST API endpoint. Jenkins 2.219, LTS 2.204.2 now adds the `X-Frame-Options: deny` HTTP header to REST API responses, which prevents these types of clickjacking attacks.

Metadata

Created: 2022-05-24T17:07:41Z
Modified: 2022-12-19T21:14:28Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-7xp8-7wqx-5hqx/GHSA-7xp8-7wqx-5hqx.json
CWE IDs: ["CWE-1021"]
Alternative ID: GHSA-7xp8-7wqx-5hqx
Finding: F360
Auto approve: 1