Lucene search

[email protected]NVD:CVE-2023-41878

HistorySep 27, 2023 - 3:19 p.m.

CVE-2023-41878

2023-09-2715:19:30

CWE-798

[email protected]

web.nvd.nist.gov

metersphere

testing platform

selenium vnc

weak password

security vulnerability

upgrade

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

5.9

Confidence

High

EPSS

0.001

Percentile

41.3%

JSON

MeterSphere is a one-stop open source continuous testing platform, covering functions such as test tracking, interface testing, UI testing and performance testing. The Selenium VNC config used in Metersphere is using a weak password by default, attackers can login to vnc and obtain high permissions. This issue has been addressed in version 2.10.7 LTS. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Affected configurations

Nvd

Node

meterspheremetersphereRange<2.10.7lts

VendorProductVersionCPE
meterspheremetersphere*cpe:2.3:a:metersphere:metersphere:*:*:*:*:lts:*:*:*

Vendor	Product	Version	CPE
metersphere	metersphere	*	cpe:2.3:a:metersphere:metersphere:::::lts:::*

References

github.com/metersphere/installer/commit/02dd31c0951a225eaad99eda560e3eb91ba3001d

github.com/metersphere/metersphere/security/advisories/GHSA-88vv-6rm4-59h9

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

5.9

Confidence

High

EPSS

0.001

Percentile

41.3%

JSON

Related for NVD:CVE-2023-41878

cve1 prion1 vulnrichment1 osv1 cvelist1