CVE-2014-2063: Jenkins Vulnerable to Clickjacking
7.5
CVSS Score
Basic Information
CVE ID
GHSA ID
EPSS Score
0.38939%
CWE
-
Published
5/17/2022
Updated
3/13/2025
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
AV:N/AC:L/Au:N/C:P/I:P/A:P
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
org.jenkins-ci.main:jenkins-core | maven | >= 1.533, < 1.551 | 1.551 |
org.jenkins-ci.main:jenkins-core | maven | < 1.532.2 | 1.532.2 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from missing X-Frame-Options header protection. The commit fix explicitly adds this header in layout.jelly
, which is the root template for Jenkins pages. While not a traditional function, the template's header generation mechanism is the vulnerable component. The Jelly template system's failure to include this security header by default in affected versions directly enabled clickjacking vectors.