Lucene search

GitHub Advisory DatabaseGHSA-P3W6-3F7F-PM98

HistoryApr 02, 2023 - 9:30 p.m.

Jenkins OctoPerf Load Testing Plugin missing permission check allows for unauthorized server connections

2023-04-0221:30:17

CWE-284

CWE-862

GitHub Advisory Database

github.com

jenkins

octoperf

load testing

plugin

unauthorized connections

csrf

vulnerability

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

EPSS

0.001

Percentile

20.9%

JSON

Jenkins OctoPerf Load Testing Plugin Plugin 4.5.2 and earlier does not perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to connect to a previously configured Octoperf server using attacker-specified credentials.

Additionally, these endpoints do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

OctoPerf Load Testing Plugin Plugin 4.5.3 requires POST requests and the appropriate permissions for the affected HTTP endpoints.

Affected configurations

Vulners

Node

org.jenkinsci.plugins\Matchoctoperf

References

github.com/advisories/GHSA-p3w6-3f7f-pm98

nvd.nist.gov/vuln/detail/CVE-2023-28675

www.jenkins.io/security/advisory/2023-03-21/#SECURITY-3067%20(4)

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

EPSS

0.001

Percentile

20.9%

JSON

Related for GHSA-P3W6-3F7F-PM98