CVE-2025-31723

MEDIUM4.3EPSS 0.10%

Jenkins Simple Queue Plugin Cross-Site Request Forgery (CSRF)

發布日:2025/4/2修改日:2025/4/2

描述

Jenkins Simple Queue Plugin 1.4.6 and earlier does not require POST requests for multiple HTTP endpoints, resulting in cross-site request forgery (CSRF) vulnerabilities. These vulnerabilities allow attackers to change and reset the build queue order. Simple Queue Plugin 1.4.7 requires POST requests for the affected HTTP endpoints. Administrators can enable equivalent HTTP endpoints without CSRF protection via the global configuration.

受影響套件(1)

Maven/io.jenkins.plugins:simple-queuefrom 0, < 1.4.7

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	MEDIUM4.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

參考連結(4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-31723
PATCHhttps://github.com/jenkinsci/simple-queue-plugin
WEBhttps://github.com/jenkinsci/simple-queue-plugin/commit/c1094666dcd139830620d6d1c21b13f847601e74
WEBhttps://www.jenkins.io/security/advisory/2025-04-02/#SECURITY-3469