CVE-2025-27624 - Vulnerability Details

A cross-site request forgery (CSRF) vulnerability in Jenkins 2.499 and earlier, LTS 2.492.1 and earlier allows attackers to have users toggle their collapsed/expanded status of sidepanel widgets (e.g., Build Queue and Build Executor Status widgets).

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Jenkins	Jenkins

Configuration 1 [-]

OR	cpe:2.3:a:jenkins:jenkins:::::lts:::*
	cpe:2.3:a:jenkins:jenkins:::::-:::*

No data.

References

Link	Providers
https://nvd.nist.gov/vuln/detail/CVE-2025-27624
https://www.cve.org/CVERecord?id=CVE-2025-27624
https://www.jenkins.io/security/advisory/2025-03-05/#SECURITY-3498

History

Tue, 24 Jun 2025 01:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Jenkins Jenkins jenkins
CPEs		cpe:2.3:a:jenkins:jenkins:::::-:::* cpe:2.3:a:jenkins:jenkins:::::lts:::*
Vendors & Products		Jenkins Jenkins jenkins

Tue, 24 Jun 2025 01:15:00 +0000

Type	Values Removed	Values Added
CPEs	cpe:2.3:a:jenkins:jenkins:::::-:::* cpe:2.3:a:jenkins:jenkins:::::lts:::*
Vendors & Products	Jenkins Jenkins jenkins

Tue, 24 Jun 2025 01:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Jenkins Jenkins jenkins
CPEs		cpe:2.3:a:jenkins:jenkins:::::-:::* cpe:2.3:a:jenkins:jenkins:::::lts:::*
Vendors & Products		Jenkins Jenkins jenkins

Thu, 06 Mar 2025 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 06 Mar 2025 14:00:00 +0000

Type	Values Removed	Values Added
Title		jenkins: CSRF vulnerability in jenkins
Weaknesses		CWE-352
References		https://nvd.nist.gov/vuln/detail/CVE-2025-27624 https://www.cve.org/CVERecord?id=CVE-2025-27624
Metrics	threat_severity `None`	cvssV3_1 `{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L'}` threat_severity `Moderate`

Wed, 05 Mar 2025 22:45:00 +0000

Type	Values Removed	Values Added
Description		A cross-site request forgery (CSRF) vulnerability in Jenkins 2.499 and earlier, LTS 2.492.1 and earlier allows attackers to have users toggle their collapsed/expanded status of sidepanel widgets (e.g., Build Queue and Build Executor Status widgets).
References		https://www.jenkins.io/security/advisory/2025-03-05/#SECURITY-3498

MITRE

Status: PUBLISHED

Assigner: jenkins

Published: 2025-03-05T22:33:36.141Z

Updated: 2025-03-06T16:15:59.954Z

Reserved: 2025-03-04T07:21:12.533Z

Link: CVE-2025-27624

Vulnrichment

Updated: 2025-03-06T16:15:40.367Z

NVD

Status : Analyzed

Published: 2025-03-05T23:15:14.197

Modified: 2025-06-24T00:45:20.613

Link: CVE-2025-27624

Redhat

Severity : Moderate

Publid Date: 2025-03-05T22:33:36Z

Links: CVE-2025-27624 - Bugzilla

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object