Lucene search

GitHub_MCVELIST:CVE-2023-35937

HistoryJul 06, 2023 - 1:50 p.m.

CVE-2023-35937 Metersphere missing permission check

2023-07-0613:50:10

CWE-862

GitHub_M

www.cve.org

metersphere

permission vulnerability

version 2.10.2

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

HIGH

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:L

AI Score

8.9

Confidence

High

EPSS

0.001

Percentile

42.8%

JSON

Metersphere is an open source continuous testing platform. In versions prior to 2.10.2 LTS, some key APIs in Metersphere lack permission checks. This allows ordinary users to execute APIs that can only be executed by space administrators or project administrators. For example, ordinary users can be updated as space administrators. Version 2.10.2 LTS has a patch for this issue.

CNA Affected

[
  {
    "vendor": "metersphere",
    "product": "metersphere",
    "versions": [
      {
        "version": "< 2.10.2-LTS",
        "status": "affected"
      }
    ]
  }
]

References

github.com/metersphere/metersphere/security/advisories/GHSA-7xj3-qrx5-524r

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

HIGH

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:L

AI Score

8.9

Confidence

High

EPSS

0.001

Percentile

42.8%

JSON

Related for CVELIST:CVE-2023-35937