Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-x263-hp5c-p2rj: Jenkins OctoPerf Load Testing Plugin vulnerable to Cross-site Request Forgery

OctoPerf Load Testing Plugin Plugin 4.5.2 and earlier does not perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to connect to a previously configured Octoperf server using attacker-specified credentials.

Additionally, these endpoints do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

OctoPerf Load Testing Plugin Plugin 4.5.3 requires POST requests and the appropriate permissions for the affected HTTP endpoints.

ghsa
#csrf#vulnerability#git#java#maven
  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. CVE-2023-28674

Jenkins OctoPerf Load Testing Plugin vulnerable to Cross-site Request Forgery

Moderate severity GitHub Reviewed Published Apr 2, 2023 to the GitHub Advisory Database • Updated Apr 3, 2023

Package

maven org.jenkinsci.plugins:octoperf (Maven)

Affected versions

< 4.5.3

OctoPerf Load Testing Plugin Plugin 4.5.2 and earlier does not perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to connect to a previously configured Octoperf server using attacker-specified credentials.

Additionally, these endpoints do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

OctoPerf Load Testing Plugin Plugin 4.5.3 requires POST requests and the appropriate permissions for the affected HTTP endpoints.

References

  • https://nvd.nist.gov/vuln/detail/CVE-2023-28674
  • https://www.jenkins.io/security/advisory/2023-03-21/#SECURITY-3067%20(4)

Published to the GitHub Advisory Database

Apr 2, 2023

Related news

CVE-2023-28676: Jenkins Security Advisory 2023-03-21

A cross-site request forgery (CSRF) vulnerability in Jenkins Convert To Pipeline Plugin 1.0 and earlier allows attackers to create a Pipeline based on a Freestyle project, potentially leading to remote code execution (RCE).

CVE-2023-28683: Jenkins Security Advisory 2023-03-21

Jenkins Phabricator Differential Plugin 2.1.5 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

CVE-2023-28680: Jenkins Security Advisory 2023-03-21

Jenkins Crap4J Plugin 0.9 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

CVE-2023-28682: Jenkins Security Advisory 2023-03-21

Jenkins Performance Publisher Plugin 8.09 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

CVE-2023-28673: Jenkins Security Advisory 2023-03-21

A missing permission check in Jenkins OctoPerf Load Testing Plugin Plugin 4.5.2 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

CVE-2023-28677: Jenkins Security Advisory 2023-03-21

Jenkins Convert To Pipeline Plugin 1.0 and earlier uses basic string concatenation to convert Freestyle projects' Build Environment, Build Steps, and Post-build Actions to the equivalent Pipeline step invocations, allowing attackers able to configure Freestyle projects to prepare a crafted configuration that injects Pipeline script code into the (unsandboxed) Pipeline resulting from a convertion by Jenkins Convert To Pipeline Plugin.

CVE-2023-28684: Jenkins Security Advisory 2023-03-21

Jenkins remote-jobs-view-plugin Plugin 0.0.3 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

CVE-2023-28671: Jenkins Security Advisory 2023-03-21

A cross-site request forgery (CSRF) vulnerability in Jenkins OctoPerf Load Testing Plugin Plugin 4.5.0 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

CVE-2023-28675: Jenkins Security Advisory 2023-03-21

A missing permission check in Jenkins OctoPerf Load Testing Plugin Plugin 4.5.2 and earlier allows attackers to connect to a previously configured Octoperf server using attacker-specified credentials.

CVE-2023-28685: Jenkins Security Advisory 2023-03-21

Jenkins AbsInt a³ Plugin 1.1.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.