Lucene search

GitHub_MCVE-2023-41878

HistorySep 27, 2023 - 3:19 p.m.

CVE-2023-41878

2023-09-2715:19:30

CWE-798

GitHub_M

web.nvd.nist.gov

metersphere

open source

continuous testing

platform

weak password

selenium

vnc

vulnerability

upgrade

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.4

Confidence

High

EPSS

0.001

Percentile

41.3%

JSON

MeterSphere is a one-stop open source continuous testing platform, covering functions such as test tracking, interface testing, UI testing and performance testing. The Selenium VNC config used in Metersphere is using a weak password by default, attackers can login to vnc and obtain high permissions. This issue has been addressed in version 2.10.7 LTS. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Affected configurations

Nvd

Vulners

Node

meterspheremetersphereRange<2.10.7lts

VendorProductVersionCPE
meterspheremetersphere*cpe:2.3:a:metersphere:metersphere:*:*:*:*:lts:*:*:*

Vendor	Product	Version	CPE
metersphere	metersphere	*	cpe:2.3:a:metersphere:metersphere:::::lts:::*

CNA Affected

[
  {
    "vendor": "metersphere",
    "product": "metersphere",
    "versions": [
      {
        "version": "< 2.10.7 LTS",
        "status": "affected"
      }
    ]
  }
]

References

github.com/metersphere/installer/commit/02dd31c0951a225eaad99eda560e3eb91ba3001d

github.com/metersphere/metersphere/security/advisories/GHSA-88vv-6rm4-59h9

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.4

Confidence

High

EPSS

0.001

Percentile

41.3%

JSON

Related for CVE-2023-41878