CVE-2023-28671
Jenkins OctoPerf Load Testing Plugin vulnerable to Cross-site Request Forgery
4.3
MEDIUM
CVSS 3.1
EPSS 0.09%
Description
OctoPerf Load Testing Plugin Plugin 4.5.0 and earlier does not require POST requests for a connection test HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability. This vulnerability allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. OctoPerf Load Testing Plugin Plugin 4.5.1 requires POST requests for the affected connection test HTTP endpoint.
How to fix CVE-2023-28671
To remediate CVE-2023-28671, upgrade the affected package to a fixed version below.
- —upgrade to 4.5.1 or later
Is CVE-2023-28671 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 4.5.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM4.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N |