CVE-2023-28675 — Jenkins OctoPerf Load Testing Plugin missing permission check allows for unautho

Description

Jenkins OctoPerf Load Testing Plugin Plugin 4.5.2 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to connect to a previously configured Octoperf server using attacker-specified credentials. Additionally, these endpoints do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability. OctoPerf Load Testing Plugin Plugin 4.5.3 requires POST requests and the appropriate permissions for the affected HTTP endpoints.

How to fix CVE-2023-28675

To remediate CVE-2023-28675, upgrade the affected package to a fixed version below.

—upgrade to 4.5.3 or later

Is CVE-2023-28675 being exploited?

Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 4.5.3

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

References (3)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-28675
PATCHgithub.com/jenkinsci/octoperf-plugin
WEBwww.jenkins.io/security/advisory/2023-03-21/#SECURITY-3067%20(4)