CVE-2025-31723

MEDIUM4.3EPSS 0.10%

Jenkins Simple Queue Plugin Cross-Site Request Forgery (CSRF)

Published: 4/2/2025Modified: 4/2/2025

Description

Jenkins Simple Queue Plugin 1.4.6 and earlier does not require POST requests for multiple HTTP endpoints, resulting in cross-site request forgery (CSRF) vulnerabilities. These vulnerabilities allow attackers to change and reset the build queue order. Simple Queue Plugin 1.4.7 requires POST requests for the affected HTTP endpoints. Administrators can enable equivalent HTTP endpoints without CSRF protection via the global configuration.

Affected packages (1)

Maven/io.jenkins.plugins:simple-queuefrom 0, < 1.4.7

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

References (4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-31723
PATCHhttps://github.com/jenkinsci/simple-queue-plugin
WEBhttps://github.com/jenkinsci/simple-queue-plugin/commit/c1094666dcd139830620d6d1c21b13f847601e74
WEBhttps://www.jenkins.io/security/advisory/2025-04-02/#SECURITY-3469