CVE-2024-54003 – Jenkins Simple Queue Plugin 1.4.4 and earlier c... (How to Fix)

Q: What is the severity of CVE-2024-54003?

CVE-2024-54003 has a CVSS score of 8.0 (HIGH). Jenkins Simple Queue Plugin 1.4.4 and earlier contains a stored cross-site scripting (XSS) vulnerability where attackers with View/Create permission can inject malicious scripts into view names. This allows them to execute arbitrary JavaScript in the context of other users' browsers. All Jenkins instances using vulnerable versions of this plugin are affected.

📋 TL;DR

Jenkins Simple Queue Plugin 1.4.4 and earlier contains a stored cross-site scripting (XSS) vulnerability where attackers with View/Create permission can inject malicious scripts into view names. This allows them to execute arbitrary JavaScript in the context of other users' browsers. All Jenkins instances using vulnerable versions of this plugin are affected.

💻 Affected Systems

Products:

Jenkins Simple Queue Plugin

Versions: 1.4.4 and earlier

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires View/Create permission to exploit. Jenkins core itself is not vulnerable.

📦 What is this software?

Simple Queue by Jenkins

View all CVEs affecting Simple Queue →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, perform actions as authenticated users, redirect to malicious sites, or install malware on user systems.

🟠

Likely Case

Attackers with View/Create permission could steal credentials, perform unauthorized actions, or deface Jenkins interface elements.

🟢

If Mitigated

With proper access controls limiting View/Create permissions, impact is reduced to authorized users only.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires View/Create permission. Stored XSS means payload persists until removed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.4.5

Vendor Advisory: https://www.jenkins.io/security/advisory/2024-11-27/#SECURITY-3467

Restart Required: Yes

Instructions:

1. Navigate to Jenkins Manage Jenkins > Manage Plugins. 2. Update Simple Queue Plugin to version 1.4.5 or later. 3. Restart Jenkins.

🔧 Temporary Workarounds

Remove View/Create permissions

all

Restrict View/Create permissions to trusted users only to prevent exploitation.

Disable plugin

all

Temporarily disable Simple Queue Plugin if not required.

Navigate to Manage Jenkins > Manage Plugins > Installed, find Simple Queue Plugin, click Disable

🧯 If You Can't Patch

Review and restrict View/Create permissions to minimal set of trusted users
Monitor for suspicious view name creation and audit existing view names for XSS payloads

🔍 How to Verify

Check if Vulnerable:

Check plugin version in Manage Jenkins > Manage Plugins > Installed. If Simple Queue Plugin version is 1.4.4 or earlier, system is vulnerable.

Check Version:

Check Jenkins web interface at Manage Jenkins > Manage Plugins > Installed

Verify Fix Applied:

Verify Simple Queue Plugin version is 1.4.5 or later after update.

📡 Detection & Monitoring

Log Indicators:

Unusual view creation events
View names containing script tags or JavaScript code

Network Indicators:

Unexpected JavaScript execution in Jenkins interface

SIEM Query:

source="jenkins" AND (event="view_created" OR event="view_modified") AND (message="*<script*" OR message="*javascript:*")

📊 Metadata

CVE ID: CVE-2024-54003

CVSS v3 Score: 8.0 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-79

Published: November 27, 2024

Last Updated: October 3, 2025

🔗 References

https://www.jenkins.io/security/advisory/2024-11-27/#SECURITY-3467 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-54003, you might also want to check these: