CVE-2025-31723
published 2025-04-02CVE-2025-31723: A cross-site request forgery (CSRF) vulnerability in Jenkins Simple Queue Plugin 1.4.6 and earlier allows attackers to change and reset the build queue order.
PriorityP417medium4.3CVSS 3.1
AVNACLPRNUIRSUCNILAN
EPSS
0.25%
16.0th percentile
A cross-site request forgery (CSRF) vulnerability in Jenkins Simple Queue Plugin 1.4.6 and earlier allows attackers to change and reset the build queue order.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| jenkins | asakusasatellite_plugin | — | — |
| jenkins | cadence_vmanager_plugin | — | — |
| jenkins | jenkins_core | — | — |
| jenkins | jenkins_lts | — | — |
| jenkins | jenkins_weekly | — | — |
| jenkins | simple_queue | < 1.4.7 | 1.4.7 |
| jenkins | simple_queue_plugin | — | — |
| jenkins | stack_hammer_plugin | — | — |
| jenkins | templating_engine_plugin | — | — |
| jenkins_project | jenkins_simple_queue_plugin | <= 1.4.6 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Jenkins Simple Queue Plugin Cross-Site Request Forgery (CSRF)
ghsa·2025-04-02
CVE-2025-31723 [MEDIUM] CWE-352 Jenkins Simple Queue Plugin Cross-Site Request Forgery (CSRF)
Jenkins Simple Queue Plugin Cross-Site Request Forgery (CSRF)
Jenkins Simple Queue Plugin 1.4.6 and earlier does not require POST requests for multiple HTTP endpoints, resulting in cross-site request forgery (CSRF) vulnerabilities.
These vulnerabilities allow attackers to change and reset the build queue order.
Simple Queue Plugin 1.4.7 requires POST requests for the affected HTTP endpoints.
Administrators can enable equivalent HTTP endpoints without CSRF protection via the global configuration.
OSV
Jenkins Simple Queue Plugin Cross-Site Request Forgery (CSRF)
osv·2025-04-02
CVE-2025-31723 [MEDIUM] Jenkins Simple Queue Plugin Cross-Site Request Forgery (CSRF)
Jenkins Simple Queue Plugin Cross-Site Request Forgery (CSRF)
Jenkins Simple Queue Plugin 1.4.6 and earlier does not require POST requests for multiple HTTP endpoints, resulting in cross-site request forgery (CSRF) vulnerabilities.
These vulnerabilities allow attackers to change and reset the build queue order.
Simple Queue Plugin 1.4.7 requires POST requests for the affected HTTP endpoints.
Administrators can enable equivalent HTTP endpoints without CSRF protection via the global configuration.
Jenkins
Jenkins Security Advisory 2025-04-02
vendor_jenkins·2025-04-02·CVSS 4.3
CVE-2025-31720 [MEDIUM] Jenkins Security Advisory 2025-04-02
Title: Jenkins Security Advisory 2025-04-02
Jenkins Security Advisory 2025-04-02
Jenkins Security Home
For Administrators
Overview
Terminology
Vulnerabilities and Scoring
Security Advisories
Security Issues
Advisory Schedule
Vulnerabilities in Plugins
How We Fix Security Issues
For Reporters
Reporting Vulnerabilities
Jenkins CNA
For Maintainers
Overview
Vulnerabilities in Plugins
Jenkins Security Team
About
Contributions
This advisory announces vulnerabilities in the following Jenkins deliverables:
Jenkins (core)
AsakusaSatellite
Plugin
Cadence vManager
Plugin
monitor-remote-job
Plugin
Simple Queue
Plugin
Stack Hammer
Plugin
Templating Engine
Plugin
Description
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-04-02
Published