CVE-2023-28673

Vulnerability

Overview The Jenkins OctoPerf Load Testing Plugin up to version 4.5.2 contains a missing permission check in an unspecified endpoint. This flaw allows an attacker who already has the Overall/Read permission to enumerate the IDs of all credentials stored in Jenkins, even though they should not normally be able to view such metadata [1][2].

Exploitation and

Attack Surface An attacker needs to have Overall/Read permission, which is a low-privilege access frequently granted to non-administrative users. No further authentication on the specific endpoint is required, making the attack low-complexity and potentially feasible in shared Jenkins environments where more than one user has read access [1].

Impact

Successful exploitation discloses credential IDs, which are internal identifiers. While this leak does not directly expose secret values, it reduces the barrier for subsequent attacks such as credential usage or brute-forcing, especially if combined with other vulnerabilities. The vulnerability is rated Medium severity (CVSS v3) [2].

Mitigation

OctoPerf Load Testing Plugin version 4.5.2 is the last affected version. Users should update to a newer version that implements proper permission checks to restrict access to credential IDs. As of the advisory, no workaround is mentioned, and the plugin should be upgraded promptly [1][3].