Clickjacking in Jenkins and Jenkins LTS - CVE-2020-2105
Published: January 30, 2020
Vulnerability identifier: #VU24764
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2020-2105
CWE-ID: CWE-451
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Jenkins
Affected software:
Jenkins
Jenkins LTS
Jenkins
Jenkins LTS
Detailed vulnerability description
The vulnerability allows a remote attacker to perform a clickjacking attack
The vulnerability exists due to the affected software does not serve the "X-Frame-Options: deny" HTTP header on REST API responses to protect against clickjacking attacks. A remote attacker can rout the victim through a specially crafted web page that embeds a REST API endpoint in an iframe and trick the user to perform an action which would allow for the attacker to learn the content of that REST API endpoint.
How to mitigate CVE-2020-2105
Install updates from vendor's website.