Lucene search

GitHub Advisory DatabaseGHSA-WQ3W-3RXH-VCXX

HistoryApr 02, 2023 - 9:30 p.m.

Jenkins OctoPerf Load Testing Plugin vulnerable to Cross-site Request Forgery

2023-04-0221:30:17

CWE-352

GitHub Advisory Database

github.com

jenkins

octoperf

load testing

csrf

vulnerability

http

endpoint

security

plugin

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

0.0005 Low

EPSS

Percentile

16.2%

JSON

OctoPerf Load Testing Plugin Plugin 4.5.0 and earlier does not require POST requests for a connection test HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

OctoPerf Load Testing Plugin Plugin 4.5.1 requires POST requests for the affected connection test HTTP endpoint.

Affected configurations

Vulners

Node

org.jenkinsci.plugins\Matchoctoperf

CPENameOperatorVersion
org.jenkinsci.plugins:octoperflt4.5.1

CPE	Name	Operator	Version
	org.jenkinsci.plugins:octoperf	lt	4.5.1

References

github.com/advisories/GHSA-wq3w-3rxh-vcxx

nvd.nist.gov/vuln/detail/CVE-2023-28671

www.jenkins.io/security/advisory/2023-03-21/#SECURITY-3067%20(1)

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

0.0005 Low

EPSS

Percentile

16.2%

JSON

Related for GHSA-WQ3W-3RXH-VCXX