Security context
MediumGHSA-w3f5-gq7j-m797 CVE-2014-2063Published May 17, 2022

Jenkins Vulnerable to Clickjacking

Research this vulnerability

Research is free — Hunters explains how the bug works, the root-cause code pattern, how the fix addresses it, and how to test whether a target is affected, in chat. Investigate & write exploit is a paid run — the engine reads the advisory and fix commits, then builds and validates a working proof-of-concept exploit with reproduction steps.

Affected versions

1.533 → fixed in 1.5510 → fixed in 1.532.2

Details

Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to conduct clickjacking attacks via unspecified vectors.

The fix

[FIXED SECURITY-80] Add X-Frame-Options head to prevent

Vojtech Juranek· Jun 13, 2013, 10:34 PM+1016931bd7bf
core/src/main/resources/lib/layout/layout.jelly+1 0
@@ -56,6 +56,7 @@ THE SOFTWARE.
<st:header name="Expires" value="0" />
<st:header name="Cache-Control" value="no-cache,must-revalidate" />
<st:header name="X-Hudson-Theme" value="default" />
+<st:header name="X-Frame-Options" value="sameorigin" />
<st:contentType value="text/html;charset=UTF-8" />
<j:new var="h" className="hudson.Functions" /><!-- instead of JSP functions -->

References