GHSA-j9h4-p6p7-8652

Опубликовано: 02 апр. 2023

Источник: github

Github: Прошло ревью

CVSS3: 6.5

Описание

Jenkins OctoPerf Load Testing Plugin vulnerable to credential capture

OctoPerf Load Testing Plugin Plugin 4.5.1 and earlier does not perform a permission check in a connection test HTTP endpoint.

This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

OctoPerf Load Testing Plugin Plugin 4.5.2 properly performs a permission check when accessing the affected connection test HTTP endpoint.

Ссылки

Пакеты

Наименование

org.jenkinsci.plugins:octoperf

maven

Затронутые версииВерсия исправления

< 4.5.2

4.5.2

EPSS

Процентиль: 43%

0.00211

Низкий

6.5 Medium

CVSS3

CVE ID

CVE-2023-28672

Дефекты

CWE-862

Связанные уязвимости

CVE-2023-28672

CVSS3: 6.5

nvd

почти 3 года назад

Jenkins OctoPerf Load Testing Plugin Plugin 4.5.1 and earlier does not perform a permission check in a connection test HTTP endpoint, allowing attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

EPSS

Процентиль: 43%

0.00211

Низкий

6.5 Medium

CVSS3

CVE ID

CVE-2023-28672

Дефекты

CWE-862