/
DirectorySecurity Advisories
Sign In
Security Advisories

CGA-xm6w-r5ww-h3v2

Published

Last updated

https://images.chainguard.dev/security/CGA-xm6w-r5ww-h3v2
Package

jenkins-2.479

Repository

Chainguard

Latest Update
Pending upstream fix
Aliases
  • CVE-2025-27624
  • GHSA-7g95-jmg9-h524

Severity

Unknown

Summary

Jenkins cross-site request forgery (CSRF) vulnerability

Description

Jenkins 2.499 and earlier, LTS 2.492.1 and earlier does not require POST requests for the HTTP endpoint toggling collapsed/expanded status of sidepanel widgets (e.g., Build Queue and Build Executor Status widgets), resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to have users toggle their collapsed/expanded status of sidepanel widgets.

Additionally, as the API accepts any string as the identifier of the panel ID to be toggled, attacker-controlled content can be stored in the victim’s user profile in Jenkins.

Jenkins 2.500, LTS 2.492.2 requires POST requests for the affected HTTP endpoint.

References

Updates

Safe Source for Open Sourceâ„¢
Media KitContact Us
© 2025 Chainguard. All Rights Reserved.
Private PolicyTerms of Use

Products

Chainguard ContainersChainguard LibrariesChainguard VMs

Why Chainguard

Container Image SecurityVulnerability RemediationCompliance and Risk MitigationSoftware Supply Chain SecurityAI/ML Security

Customers

Customer StoriesChainguard Love

Company

About UsPricingContact UsOpen SourceCareersNewsroomLegal

Resources

Unchained BlogEventsTrust CenterDocumentation