Lucene search

GitHub_MVULNRICHMENT:CVE-2023-41878

HistorySep 26, 2023 - 10:53 p.m.

CVE-2023-41878 Weak password of selenium VNC in MeterSphere

2023-09-2622:53:27

CWE-798

GitHub_M

github.com

cve-2023-41878

metersphere

selenium vnc

weak password vulnerability

version 2.10.7 lts

upgrade

CVSS3

4.6

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L

AI Score

6.9

Confidence

High

SSVC

Exploitation

none

Automatable

Technical Impact

partial

JSON

MeterSphere is a one-stop open source continuous testing platform, covering functions such as test tracking, interface testing, UI testing and performance testing. The Selenium VNC config used in Metersphere is using a weak password by default, attackers can login to vnc and obtain high permissions. This issue has been addressed in version 2.10.7 LTS. Users are advised to upgrade. There are no known workarounds for this vulnerability.

References

github.com/metersphere/installer/commit/02dd31c0951a225eaad99eda560e3eb91ba3001d

github.com/metersphere/metersphere/security/advisories/GHSA-88vv-6rm4-59h9