Jenkins Simple Queue Plugin Cross-Site Request Forgery (CSRF)
Moderate severity
GitHub Reviewed
Published
Apr 2, 2025
to the GitHub Advisory Database
•
Updated Apr 2, 2025
Description
Published by the National Vulnerability Database
Apr 2, 2025
Published to the GitHub Advisory Database
Apr 2, 2025
Reviewed
Apr 2, 2025
Last updated
Apr 2, 2025
Jenkins Simple Queue Plugin 1.4.6 and earlier does not require POST requests for multiple HTTP endpoints, resulting in cross-site request forgery (CSRF) vulnerabilities.
These vulnerabilities allow attackers to change and reset the build queue order.
Simple Queue Plugin 1.4.7 requires POST requests for the affected HTTP endpoints.
Administrators can enable equivalent HTTP endpoints without CSRF protection via the global configuration.
References