Login Sign Up

CVE-2023-28674

8.8 HIGH
CSRF

📋 TL;DR

This CSRF vulnerability in Jenkins OctoPerf Load Testing Plugin allows attackers to trick authenticated users into connecting to attacker-controlled Octoperf servers using attacker-specified credentials. It affects Jenkins instances with the OctoPerf plugin installed, potentially exposing sensitive testing data and credentials.

💻 Affected Systems

Products:
  • Jenkins OctoPerf Load Testing Plugin
Versions: 4.5.2 and earlier
Operating Systems: All platforms running Jenkins
Default Config Vulnerable: ⚠️ Yes
Notes: Requires the OctoPerf plugin to be installed and configured with Octoperf server connections.

📦 What is this software?

Octoperf Load Testing by Jenkins

View all CVEs affecting Octoperf Load Testing →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could redirect load testing data to malicious servers, steal credentials, manipulate test results, or use the Jenkins instance as a pivot point to attack internal Octoperf infrastructure.

🟠

Likely Case

Attackers could capture sensitive load testing data, credentials, or use the connection to perform further attacks against the Octoperf infrastructure.

🟢

If Mitigated

With proper CSRF protections and network segmentation, impact is limited to potential data exposure from the specific Jenkins instance.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires tricking an authenticated user into visiting a malicious page while logged into Jenkins.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.5.3

Vendor Advisory: https://www.jenkins.io/security/advisory/2023-03-21/#SECURITY-3067%20(4)

Restart Required: Yes

Instructions:

1. Update Jenkins OctoPerf Load Testing Plugin to version 4.5.3 or later via Jenkins Plugin Manager. 2. Restart Jenkins service. 3. Verify plugin version in Jenkins plugin list.

🔧 Temporary Workarounds

Enable CSRF Protection

all

Ensure Jenkins global security has CSRF protection enabled (default in recent versions)

Check Jenkins > Manage Jenkins > Configure Global Security > Enable CSRF Protection

Network Segmentation

all

Restrict Jenkins access to trusted networks only

Configure firewall rules to limit Jenkins access to internal IP ranges

🧯 If You Can't Patch

  • Remove or disable the OctoPerf plugin if not needed
  • Implement strict access controls and monitor for suspicious Octoperf connection attempts

🔍 How to Verify

Check if Vulnerable:

Check Jenkins plugin list for OctoPerf Load Testing Plugin version 4.5.2 or earlier

Check Version:

Navigate to Jenkins > Manage Jenkins > Manage Plugins > Installed tab, search for 'OctoPerf'

Verify Fix Applied:

Verify OctoPerf plugin version is 4.5.3 or later in Jenkins plugin list

📡 Detection & Monitoring

Log Indicators:

  • Unexpected Octoperf server connection attempts
  • CSRF token validation failures in Jenkins logs

Network Indicators:

  • Outbound connections from Jenkins to unknown Octoperf servers

SIEM Query:

source="jenkins.log" AND ("Octoperf" OR "CSRF") AND ("failed" OR "unauthorized")

📊 Metadata

CVE ID: CVE-2023-28674
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-352
Published: April 2, 2023
Last Updated: February 25, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-28674, you might also want to check these:

CVE-2025-23922 10.0

A Cross-Site Request Forgery (CSRF) vulnerability in the Harsh iSpring Embedder WordPress plugin all...

Same vulnerability type (CWE-352)
CVE-2020-23426 9.8

CVE-2020-23426 is a privilege escalation vulnerability in zzcms 201910 that allows attackers to gain...

Same vulnerability type (CWE-352)
CVE-2024-33449 9.8

This SSRF vulnerability in PDFMyURL allows attackers to make the service send requests to internal s...

Same vulnerability type (CWE-352)