Lucene search

GitHub Advisory DatabaseGHSA-WQ3W-3RXH-VCXX

HistoryApr 02, 2023 - 9:30 p.m.

Jenkins OctoPerf Load Testing Plugin vulnerable to Cross-site Request Forgery

2023-04-0221:30:17

CWE-352

GitHub Advisory Database

github.com

jenkins

octoperf

load testing

csrf

vulnerability

http

endpoint

security

plugin

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

EPSS

0.001

Percentile

20.6%

JSON

OctoPerf Load Testing Plugin Plugin 4.5.0 and earlier does not require POST requests for a connection test HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

OctoPerf Load Testing Plugin Plugin 4.5.1 requires POST requests for the affected connection test HTTP endpoint.

Affected configurations

Vulners

Node

org.jenkinsci.pluginsoctoperfRange<4.5.1

VendorProductVersionCPE
org.jenkinsci.pluginsoctoperf*cpe:2.3:a:org.jenkinsci.plugins:octoperf:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
org.jenkinsci.plugins	octoperf	*	cpe:2.3:a:org.jenkinsci.plugins:octoperf::::::::

References

github.com/advisories/GHSA-wq3w-3rxh-vcxx

nvd.nist.gov/vuln/detail/CVE-2023-28671

www.jenkins.io/security/advisory/2023-03-21/#SECURITY-3067%20(1)

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

EPSS

0.001

Percentile

20.6%

JSON

Related for GHSA-WQ3W-3RXH-VCXX