-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability stems from HTTP endpoints handling Octoperf server connections without proper permission checks (CWE-284/CWE-862) and CSRF protections. Jenkins plugins typically implement such endpoints via servlet methods (e.g., doGet/doPost) in descriptor classes. The advisory explicitly states these endpoints allowed GET requests and lacked authorization checks. The functions above are standard candidates for connection testing logic in Jenkins plugins, and the fix in 4.5.3 (adding POST requirements and permissions) would directly target these methods. While the exact code isn't provided, the pattern matches Jenkins plugin architecture and the described vulnerability mechanics.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| org.jenkinsci.plugins:octoperf | maven | <= 4.5.2 | 4.5.3 |
JavaJavaOngoing coverage of React2Shell