CVE-2023-28671

MEDIUM4.3EPSS 0.09%

Jenkins OctoPerf Load Testing Plugin vulnerable to Cross-site Request Forgery

Published: 4/2/2023Modified: 2/25/2025

Description

OctoPerf Load Testing Plugin Plugin 4.5.0 and earlier does not require POST requests for a connection test HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability. This vulnerability allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. OctoPerf Load Testing Plugin Plugin 4.5.1 requires POST requests for the affected connection test HTTP endpoint.

Affected packages (1)

Maven/org.jenkinsci.plugins:octoperffrom 0, < 4.5.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

References (2)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-28671
WEBhttps://www.jenkins.io/security/advisory/2023-03-21/#SECURITY-3067%20(1)