CVE-2024-54003
published 2024-11-27CVE-2024-54003: Jenkins Simple Queue Plugin 1.4.4 and earlier does not escape the view name, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by…
PriorityP356high8CVSS 3.1
AVNACLPRLUIRSUCHIHAH
EPSS
77.46%
99.5th percentile
Jenkins Simple Queue Plugin 1.4.4 and earlier does not escape the view name, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with View/Create permission.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| jenkins | filesystem_list_parameter_plugin | — | — |
| jenkins | jenkins_core | — | — |
| jenkins | jenkins_lts | — | — |
| jenkins | jenkins_weekly | — | — |
| jenkins | simple_queue | <= 1.4.4 | — |
| jenkins | simple_queue_plugin | — | — |
| jenkins_project | jenkins_simple_queue_plugin | <= 1.4.4 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Stored XSS vulnerability in Jenkins Simple Queue Plugin 1.4.4 and earlier — triggered via unescaped view name, exploitable by attackers with View/Create permission ↗
- ·Vulnerability is limited to attackers who already hold View/Create permission in Jenkins; privilege escalation from that role is the attack vector ↗
- ·Simple Queue Plugin 1.4.5 remediates the issue by escaping the view name; any instance still running 1.4.4 or earlier remains vulnerable ↗
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Jenkins
Jenkins Security Advisory 2024-11-27
vendor_jenkins·2024-11-27·CVSS 5.3
CVE-2024-47855 [MEDIUM] Jenkins Security Advisory 2024-11-27
Title: Jenkins Security Advisory 2024-11-27
Jenkins Security Advisory 2024-11-27
Jenkins Security Home
For Administrators
Overview
Terminology
Vulnerabilities and Scoring
Security Advisories
Security Issues
Advisory Schedule
Vulnerabilities in Plugins
How We Fix Security Issues
For Reporters
Reporting Vulnerabilities
Jenkins CNA
For Maintainers
Overview
Vulnerabilities in Plugins
Jenkins Security Team
About
Contributions
This advisory announces vulnerabilities in the following Jenkins deliverables:
Jenkins (core)
Filesystem List Parameter
Plugin
Simple Queue
Plugin
Descriptions
Denial of service vulnerability in bundled json-lib
SECURITY-3463
/
CVE-2024-47855
Severity (CVS
OSV
Jenkins Simple Queue Plugin has stored cross-site scripting (XSS) vulnerability
osv·2024-11-27
CVE-2024-54003 [HIGH] Jenkins Simple Queue Plugin has stored cross-site scripting (XSS) vulnerability
Jenkins Simple Queue Plugin has stored cross-site scripting (XSS) vulnerability
Jenkins Simple Queue Plugin 1.4.4 and earlier does not escape the view name.
This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with View/Create permission.
Simple Queue Plugin 1.4.5 escapes the view name.
GHSA
Jenkins Simple Queue Plugin has stored cross-site scripting (XSS) vulnerability
ghsa·2024-11-27
CVE-2024-54003 [HIGH] CWE-79 Jenkins Simple Queue Plugin has stored cross-site scripting (XSS) vulnerability
Jenkins Simple Queue Plugin has stored cross-site scripting (XSS) vulnerability
Jenkins Simple Queue Plugin 1.4.4 and earlier does not escape the view name.
This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with View/Create permission.
Simple Queue Plugin 1.4.5 escapes the view name.
No detection rules found.
No public exploits indexed.
2024-11-27
Published