GHSA-p3w6-3f7f-pm98

Source

https://github.com/advisories/GHSA-p3w6-3f7f-pm98

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/04/GHSA-p3w6-3f7f-pm98/GHSA-p3w6-3f7f-pm98.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-p3w6-3f7f-pm98

Aliases

CVE-2023-28675

Published

2023-04-02T21:30:17Z

Modified

2023-11-08T04:12:13.415665Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N CVSS Calculator

Summary

Jenkins OctoPerf Load Testing Plugin missing permission check allows for unauthorized server connections

Details

Jenkins OctoPerf Load Testing Plugin Plugin 4.5.2 and earlier does not perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to connect to a previously configured Octoperf server using attacker-specified credentials.

Additionally, these endpoints do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

OctoPerf Load Testing Plugin Plugin 4.5.3 requires POST requests and the appropriate permissions for the affected HTTP endpoints.

Database specific

{
    "nvd_published_at": "2023-04-02T21:15:00Z",
    "github_reviewed_at": "2023-04-04T17:12:59Z",
    "severity": "MODERATE",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-284",
        "CWE-862"
    ]
}

References

Affected packages

Maven / org.jenkinsci.plugins:octoperf

Package

Name: org.jenkinsci.plugins:octoperf; View open source insights on deps.dev
Purl: pkg:maven/org.jenkinsci.plugins/octoperf

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.5.3

Affected versions

1.*

1.0.0

2.*

2.0.0

3.*

3.0.0

3.0.1

3.0.2

3.0.3

3.0.4

3.1.0

3.2.0

4.*

4.0.1

4.0.2

4.1.0

4.1.1

4.2.0

4.2.1

4.2.2

4.2.3

4.2.4

4.3.0

4.3.1

4.4.0

4.4.1

4.4.2

4.5.0

4.5.1

4.5.2

Database specific

{
    "last_known_affected_version_range": "<= 4.5.2"
}