REST API endpoints in Jenkins 2.218 and earlier, LTS 2.204.1 and earlier were vulnerable to clickjacking attacks.
REST API endpoints in Jenkins 2.218 and earlier, LTS 2.204.1 and earlier were vulnerable to clickjacking attacks.
The web application does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain.
https://cwe.mitre.org/data/definitions/1021.html →Open in CWE collection →This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that involve the software using an API in a manner contrary to its intended use. According to the authors of the Seven Pernicious Kingdoms, "An API is a contract between a caller and a callee. The most common forms of API misuse occurs when the caller does not honor its end of this contract. For example, if a program does not call chdir() after calling chroot(), it violates the contract that specifies how to change the active root directory in a secure fashion. Another good example of library abuse is expecting the callee to return trustworthy DNS information to the caller. In this case, the caller misuses the callee API by making certain assumptions about its behavior (that the return value can be used for authentication purposes). One can also violate the caller-callee contract from the other side. For example, if a coder subclasses SecureRandom and returns a non-random value, the contract is violated."
https://cwe.mitre.org/data/definitions/227.html →Open in CWE collection →An adversary tricks a victim into unknowingly initiating some action in one system while interacting with the UI from a seemingly completely different, usually an adversary controlled or intended, system.
https://capec.mitre.org/data/definitions/103.html →Open in CAPEC collection →An attacker creates a transparent overlay using flash in order to intercept user actions for the purpose of performing a clickjacking attack. In this technique, the Flash file provides a transparent overlay over HTML content. Because the Flash application is on top of the content, user actions, such as clicks, are caught by the Flash application rather than the underlying HTML. The action is then interpreted by the overlay to perform the actions the attacker wishes.
https://capec.mitre.org/data/definitions/181.html →Open in CAPEC collection →In an iFrame overlay attack the victim is tricked into unknowingly initiating some action in one system while interacting with the UI from seemingly completely different system.
https://capec.mitre.org/data/definitions/222.html →Open in CAPEC collection →An adversary, through a previously installed malicious application, impersonates an expected or routine task in an attempt to steal sensitive information or leverage a user's privileges.
https://capec.mitre.org/data/definitions/504.html →Open in CAPEC collection →An adversary, through a previously installed malicious application, displays an interface that misleads the user and convinces them to tap on an attacker desired location on the screen. This is often accomplished by overlaying one screen on top of another while giving the appearance of a single interface. There are two main techniques used to accomplish this. The first is to leverage transparent properties that allow taps on the screen to pass through the visible application to an application running in the background. The second is to strategically place a small object (e.g., a button or text field) on top of the visible screen and make it appear to be a part of the underlying application. In both cases, the user is convinced to tap on the screen but does not realize the application that they are interacting with.
https://capec.mitre.org/data/definitions/506.html →Open in CAPEC collection →This attack pattern combines malicious Javascript and a legitimate webpage loaded into a concealed iframe. The malicious Javascript is then able to interact with a legitimate webpage in a manner that is unknown to the user. This attack usually leverages some element of social engineering in that an attacker must convinces a user to visit a web page that the attacker controls.
https://capec.mitre.org/data/definitions/587.html →Open in CAPEC collection →An adversary, through a previously installed malicious application, impersonates a credential prompt in an attempt to steal a user's credentials.
https://capec.mitre.org/data/definitions/654.html →Open in CAPEC collection →| Product | Vendor | Status |
|---|---|---|
| atomic-enterprise-service-catalog | Tracked | |
| atomic-openshift | Tracked | |
| atomic-openshift-cluster-autoscaler | Tracked | |
| atomic-openshift-descheduler | Tracked | |
| atomic-openshift-dockerregistry | Tracked | |
| atomic-openshift-metrics-server | Tracked | |
| atomic-openshift-node-problem-detector | Tracked | |
| atomic-openshift-service-idler | Tracked | |
| atomic-openshift-web-console | Tracked | |
| cri-o | Tracked | |
| golang-github-openshift-oauth-proxy | Tracked | |
| golang-github-prometheus-alertmanager | Tracked | |
| golang-github-prometheus-node_exporter | Tracked | |
| golang-github-prometheus-prometheus | Tracked | |
| jenkins | Tracked | |
| jenkins | Tracked | |
| jenkins | Tracked | |
| jenkins-2-plugins | Tracked | |
| openshift-ansible | Tracked | |
| openshift-enterprise-autoheal | Tracked |