CVE-2023-28672: 
Java vulnerability analysis and mitigation

The OctoPerf Load Testing Plugin Plugin version 4.5.1 and earlier for Jenkins contains a high-severity security vulnerability (CVE-2023-28672) that was disclosed on March 21, 2023. The vulnerability stems from a missing permission check in a connection test HTTP endpoint, which affects the plugin's security controls (Jenkins Advisory).

The vulnerability occurs due to the absence of proper permission checks in a connection test HTTP endpoint. This security flaw allows attackers who have Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs that were obtained through another method. The vulnerability has been assigned a severity rating of High according to the CVSS scoring system (Jenkins Advisory).

The vulnerability enables attackers with Overall/Read permission to capture credentials stored in Jenkins by connecting to attacker-specified URLs using credential IDs obtained through other means. This could lead to unauthorized access to sensitive credentials and potential compromise of Jenkins security (Jenkins Advisory).

The vulnerability has been fixed in OctoPerf Load Testing Plugin Plugin version 4.5.2, which properly performs permission checks when accessing the affected connection test HTTP endpoint. Users are advised to upgrade to this version or later to mitigate the vulnerability (Jenkins Advisory).