CVE-2023-28674

Vulnerability

Overview

A cross-site request forgery (CSRF) vulnerability exists in the Jenkins OctoPerf Load Testing Plugin version 4.5.2 and earlier. The plugin does not perform a proper CSRF check, allowing an attacker to trick an authenticated Jenkins user into making a forged request. This request would use attacker-specified credentials to connect to a previously configured Octoperf server [1][2].

Exploitation

To exploit this vulnerability, an attacker needs to convince a Jenkins user with appropriate permissions to visit a malicious web page or follow a crafted link while logged into Jenkins. No direct authentication to Jenkins is required for the attacker; the victim's active session is used to submit the unauthorized request. The weakness lies in the absence of a CSRF token or origin validation for the specific form submission that handles the OctoPerf server credential configuration [1].

Impact

Successful exploitation allows the attacker to modify the stored OctoPerf server connection credentials to their own. This can lead to subsequent actions such as initiating load tests or extracting data through the attacker-controlled server, depending on the plugin's functionality. The impact is limited to the OctoPerf plugin's operations and does not grant broader Jenkins administrative access [1].

Mitigation

The vendor, Jenkins, has addressed this vulnerability in an advisory published on March 21, 2023. Users should upgrade to a patched version above 4.5.2 as soon as possible. No workarounds are listed; applying the update is the recommended action. The CVE is not listed in CISA's Known Exploited Vulnerabilities catalog [1].