GHSA-x263-hp5c-p2rj

Опубликовано: 02 апр. 2023

Источник: github

Github: Прошло ревью

CVSS3: 4.3

Описание

Jenkins OctoPerf Load Testing Plugin vulnerable to Cross-site Request Forgery

OctoPerf Load Testing Plugin Plugin 4.5.2 and earlier does not perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to connect to a previously configured Octoperf server using attacker-specified credentials.

Additionally, these endpoints do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

OctoPerf Load Testing Plugin Plugin 4.5.3 requires POST requests and the appropriate permissions for the affected HTTP endpoints.

Ссылки

Пакеты

Наименование

org.jenkinsci.plugins:octoperf

maven

Затронутые версииВерсия исправления

< 4.5.3

4.5.3

EPSS

Процентиль: 37%

0.00155

Низкий

4.3 Medium

CVSS3

CVE ID

CVE-2023-28674

Дефекты

CWE-352

Связанные уязвимости

CVE-2023-28674

CVSS3: 8.8

nvd

почти 3 года назад

A cross-site request forgery (CSRF) vulnerability in Jenkins OctoPerf Load Testing Plugin Plugin 4.5.2 and earlier allows attackers to connect to a previously configured Octoperf server using attacker-specified credentials.

EPSS

Процентиль: 37%

0.00155

Низкий

4.3 Medium

CVSS3

CVE ID

CVE-2023-28674

Дефекты

CWE-352