Lucene search

GitHub_MCVELIST:CVE-2023-41878

HistorySep 26, 2023 - 10:53 p.m.

CVE-2023-41878 Weak password of selenium VNC in MeterSphere

2023-09-2622:53:27

CWE-798

GitHub_M

www.cve.org

metersphere

weak password

selenium vnc

vulnerability

upgrade

CVSS3

4.6

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L

AI Score

9.7

Confidence

High

EPSS

0.001

Percentile

41.3%

JSON

MeterSphere is a one-stop open source continuous testing platform, covering functions such as test tracking, interface testing, UI testing and performance testing. The Selenium VNC config used in Metersphere is using a weak password by default, attackers can login to vnc and obtain high permissions. This issue has been addressed in version 2.10.7 LTS. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CNA Affected

[
  {
    "vendor": "metersphere",
    "product": "metersphere",
    "versions": [
      {
        "version": "< 2.10.7 LTS",
        "status": "affected"
      }
    ]
  }
]

References

github.com/metersphere/installer/commit/02dd31c0951a225eaad99eda560e3eb91ba3001d

github.com/metersphere/metersphere/security/advisories/GHSA-88vv-6rm4-59h9