GHSA-hcfh-qjcp-34q9

Source

https://github.com/advisories/GHSA-hcfh-qjcp-34q9

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-hcfh-qjcp-34q9/GHSA-hcfh-qjcp-34q9.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-hcfh-qjcp-34q9

Aliases

CVE-2025-31723

Published

2025-04-02T15:31:38Z

Modified

2025-04-02T22:57:09.949109Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N CVSS Calculator

Summary

Jenkins Simple Queue Plugin Cross-Site Request Forgery (CSRF)

Details

Jenkins Simple Queue Plugin 1.4.6 and earlier does not require POST requests for multiple HTTP endpoints, resulting in cross-site request forgery (CSRF) vulnerabilities.

These vulnerabilities allow attackers to change and reset the build queue order.

Simple Queue Plugin 1.4.7 requires POST requests for the affected HTTP endpoints.

Administrators can enable equivalent HTTP endpoints without CSRF protection via the global configuration.

Database specific

{
    "nvd_published_at": "2025-04-02T15:15:59Z",
    "cwe_ids": [
        "CWE-352"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2025-04-02T22:43:30Z"
}

References

Affected packages

Maven / io.jenkins.plugins:simple-queue

Package

Name: io.jenkins.plugins:simple-queue; View open source insights on deps.dev
Purl: pkg:maven/io.jenkins.plugins/simple-queue

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.4.7

Affected versions

1.*

1.1

1.2

1.3

1.3.1

1.3.2

1.3.3

1.3.4

1.4.0

1.4.1

1.4.3

1.4.4

1.4.5

1.4.6