CVE-2023-28675

Vulnerability

Overview

The Jenkins OctoPerf Load Testing Plugin, versions 4.5.2 and earlier, contains a missing permission check vulnerability. This flaw allows an attacker to connect to a previously configured Octoperf server using credentials that the attacker specifies, without requiring proper authorization [1][2].

Exploitation and

Attack Surface

Exploitation of this vulnerability does not require authentication to Jenkins, as the permission check is missing entirely. An attacker who can access a Jenkins instance with the plugin installed can leverage this to modify the connection credentials to the Octoperf server. No specific privileges are needed, making this a low-complexity attack vector [1][2].

Impact

Successful exploitation enables an attacker to control the credentials used for the connection to the Octoperf load testing server. This could lead to unauthorized use of the Octoperf service, potential data exposure, and a loss of integrity in the load testing configuration [1][2].

Mitigation

The Jenkins security advisory (2023-03-21) recommends upgrading the OctoPerf Load Testing Plugin to version 4.5.3 or later, which includes the necessary permission check fix. Users should update their plugin as soon as possible to mitigate this vulnerability [1].