CVE-2023-28675: Jenkins OctoPerf Load Testing Plugin missing permission check allows for unauthorized server connections

April 2, 2023 (updated February 25, 2025)

Jenkins OctoPerf Load Testing Plugin Plugin 4.5.2 and earlier does not perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to connect to a previously configured Octoperf server using attacker-specified credentials.

Additionally, these endpoints do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

OctoPerf Load Testing Plugin Plugin 4.5.3 requires POST requests and the appropriate permissions for the affected HTTP endpoints.

References

github.com/advisories/GHSA-p3w6-3f7f-pm98
github.com/jenkinsci/octoperf-plugin
nvd.nist.gov/vuln/detail/CVE-2023-28675
www.jenkins.io/security/advisory/2023-03-21/

Detect and mitigate CVE-2023-28675 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →