GHSA-p3w6-3f7f-pm98

Опубликовано: 02 апр. 2023

Источник: github

Github: Прошло ревью

CVSS3: 4.3

Описание

Jenkins OctoPerf Load Testing Plugin missing permission check allows for unauthorized server connections

Jenkins OctoPerf Load Testing Plugin Plugin 4.5.2 and earlier does not perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to connect to a previously configured Octoperf server using attacker-specified credentials.

Additionally, these endpoints do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

OctoPerf Load Testing Plugin Plugin 4.5.3 requires POST requests and the appropriate permissions for the affected HTTP endpoints.

Ссылки

Пакеты

Наименование

org.jenkinsci.plugins:octoperf

maven

Затронутые версииВерсия исправления

<= 4.5.2

4.5.3

EPSS

Процентиль: 38%

0.00165

Низкий

4.3 Medium

CVSS3

CVE ID

CVE-2023-28675

Дефекты

CWE-284

CWE-862

Связанные уязвимости

CVE-2023-28675

CVSS3: 4.3

nvd

почти 3 года назад

A missing permission check in Jenkins OctoPerf Load Testing Plugin Plugin 4.5.2 and earlier allows attackers to connect to a previously configured Octoperf server using attacker-specified credentials.

EPSS

Процентиль: 38%

0.00165

Низкий

4.3 Medium

CVSS3

CVE ID

CVE-2023-28675

Дефекты

CWE-284

CWE-862