Lucene search

GoogleOSV:GHSA-P3W6-3F7F-PM98

HistoryApr 02, 2023 - 9:30 p.m.

Jenkins OctoPerf Load Testing Plugin missing permission check allows for unauthorized server connections

2023-04-0221:30:17

Google

osv.dev

jenkins security flaw

permission check bypass

http endpoint vulnerability

csrf vulnerability

octoperf plugin update

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

EPSS

0.001

Percentile

20.9%

JSON

Jenkins OctoPerf Load Testing Plugin Plugin 4.5.2 and earlier does not perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to connect to a previously configured Octoperf server using attacker-specified credentials.

Additionally, these endpoints do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

OctoPerf Load Testing Plugin Plugin 4.5.3 requires POST requests and the appropriate permissions for the affected HTTP endpoints.

References

github.com/jenkinsci/octoperf-plugin

nvd.nist.gov/vuln/detail/CVE-2023-28675

www.jenkins.io/security/advisory/2023-03-21/#SECURITY-3067%20(4)

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

EPSS

0.001

Percentile

20.9%

JSON

Related for OSV:GHSA-P3W6-3F7F-PM98