GHSA-p3w6-3f7f-pm98

GitHub Security Advisory

Jenkins OctoPerf Load Testing Plugin missing permission check allows for unauthorized server connections

✓ GitHub Reviewed MODERATE Has CVE

Jenkins OctoPerf Load Testing Plugin Plugin 4.5.2 and earlier does not perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to connect to a previously configured Octoperf server using attacker-specified credentials.

Additionally, these endpoints do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

OctoPerf Load Testing Plugin Plugin 4.5.3 requires POST requests and the appropriate permissions for the affected HTTP endpoints.

Maven org.jenkinsci.plugins:octoperf

Affected versions: 0 (fixed in 4.5.3)

CVE-2023-28675

GHSA ID

GHSA-p3w6-3f7f-pm98

Published

April 2, 2023 9:30 PM

Last Modified

February 25, 2025 9:40 PM

CVSS Score

5.0 /10

Primary Ecosystem

Maven

Primary Package

org.jenkinsci.plugins:octoperf

GitHub Reviewed

✓ Yes

Last updated: July 2, 2025 6:26 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.