CVE-2024-54003: 
Java vulnerability analysis and mitigation

A high-severity stored cross-site scripting (XSS) vulnerability has been identified in Jenkins Simple Queue Plugin versions 1.4.4 and earlier, tracked as CVE-2024-54003. The vulnerability was discovered by Swapna Nanda from CloudBees, Inc. and was publicly disclosed on November 27, 2024. The vulnerability affects the Simple Queue Plugin component of Jenkins, a widely-used open-source automation server (Jenkins Advisory, NVD).

The vulnerability stems from the plugin's failure to properly escape view names, leading to a stored cross-site scripting vulnerability. The issue has been assigned a CVSS v3.1 base score of 8.0 (High), with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H. The vulnerability is classified under CWE-79: Improper Neutralization of Input During Web Page Generation (NVD).

The vulnerability allows attackers with View/Create permission to inject malicious scripts that can be executed by other users accessing the affected Jenkins instance. This could potentially lead to data theft, session hijacking, or further system compromise (Security Online).

The vulnerability has been patched in Simple Queue Plugin version 1.4.5, which properly escapes the view name. Users are strongly advised to update to this latest version immediately. All versions prior to 1.4.5 are considered vulnerable and should be updated (Jenkins Advisory, ASEC).