GHSA-3jw2-5hjg-hc2c

Source

https://github.com/advisories/GHSA-3jw2-5hjg-hc2c

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-3jw2-5hjg-hc2c/GHSA-3jw2-5hjg-hc2c.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-3jw2-5hjg-hc2c

Aliases

CVE-2025-64133

Published

2025-10-29T15:31:56Z

Modified

2025-11-05T21:07:30.468205Z

Severity

5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L CVSS Calculator

Summary

Jenkins Extensible Choice Parameter Plugin vulnerable to cross-site request forgery

Details

Jenkins Extensible Choice Parameter Plugin 239.v5f5c278708cf and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to execute sandboxed Groovy code.

As of publication of this advisory, there is no fix.

Database specific

{
    "github_reviewed_at": "2025-10-29T21:49:59Z",
    "github_reviewed": true,
    "severity": "MODERATE",
    "nvd_published_at": "2025-10-29T14:15:57Z",
    "cwe_ids": [
        "CWE-352"
    ]
}

References

Affected packages

Maven / jp.ikedam.jenkins.plugins:extensible-choice-parameter

Package

Name: jp.ikedam.jenkins.plugins:extensible-choice-parameter; View open source insights on deps.dev
Purl: pkg:maven/jp.ikedam.jenkins.plugins/extensible-choice-parameter

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

239.v5f5c278708cf

Affected versions

1.*

1.0.0

1.1.0

1.2.0

1.2.1

1.2.2

1.3.0

1.3.1

1.3.2

1.3.3

1.3.4

1.4.0

1.4.1

1.4.2

1.5.0

1.6.0

1.7.0

1.8.0

1.8.1

237.*

237.v51568f37b_78e

239.*

239.v5f5c278708cf

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-3jw2-5hjg-hc2c/GHSA-3jw2-5hjg-hc2c.json"