CVE-2024-54003: Jenkins Simple Queue Plugin has stored cross-site scripting (XSS) vulnerability

November 27, 2024

Jenkins Simple Queue Plugin 1.4.4 and earlier does not escape the view name.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with View/Create permission.

Simple Queue Plugin 1.4.5 escapes the view name.

References

github.com/advisories/GHSA-4gwv-fpmg-cmv2
nvd.nist.gov/vuln/detail/CVE-2024-54003
www.jenkins.io/security/advisory/2024-11-27/

Detect and mitigate CVE-2024-54003 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →