#VU24764 Clickjacking in Jenkins and Jenkins LTS - CVE-2020-2105
Published: January 30, 2020
Vulnerability identifier: #VU24764
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2020-2105
CWE-ID: CWE-451
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Jenkins
Jenkins LTS
Jenkins
Jenkins LTS
Software vendor:
Jenkins
Jenkins
Description
The vulnerability allows a remote attacker to perform a clickjacking attack
The vulnerability exists due to the affected software does not serve the "X-Frame-Options: deny" HTTP header on REST API responses to protect against clickjacking attacks. A remote attacker can rout the victim through a specially crafted web page that embeds a REST API endpoint in an iframe and trick the user to perform an action which would allow for the attacker to learn the content of that REST API endpoint.
Remediation
Install updates from vendor's website.