First published: Thu Mar 23 2023(Updated: )
Jenkins OctoPerf Load Testing Plugin Plugin 4.5.1 and earlier does not perform a permission check in a connection test HTTP endpoint, allowing attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
Credit: jenkinsci-cert@googlegroups.com
Affected Software | Affected Version | How to fix |
---|---|---|
Jenkins Octoperf Load Testing | <=4.5.1 | |
<=4.5.1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2023-28672 has a moderate severity level due to its impact on permission checks in the connection test endpoint.
To fix CVE-2023-28672, update the Jenkins OctoPerf Load Testing Plugin to version 4.5.2 or later.
All Jenkins instances using the OctoPerf Load Testing Plugin version 4.5.1 and earlier are affected by CVE-2023-28672.
CVE-2023-28672 is an authorization vulnerability that allows unauthorized access to specified URLs.
Yes, CVE-2023-28672 could potentially lead to credential theft if an attacker exploits the vulnerability to connect to unauthorized URLs.