CVE-2023-30550 - OpenCVE

MeterSphere is an open source continuous testing platform, covering functions such as test tracking, interface testing, UI testing, and performance testing. This IDOR vulnerability allows the administrator of a project to modify other projects under the workspace. An attacker can obtain some operating permissions. The issue has been fixed in version 2.9.0.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Metersphere	Metersphere

Configuration 1 [-]

cpe:2.3:a:metersphere:metersphere:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/metersphere/metersphere/releases/tag/v2.9.0
https://github.com/metersphere/metersphere/security/advisories/GHSA-j5cq-cpw2-gp2q

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-05-04T17:26:13.218Z

Updated: 2024-08-02T14:28:51.805Z

Reserved: 2023-04-12T15:19:33.767Z

Link: CVE-2023-30550

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2023-05-04T18:15:10.150

Modified: 2023-05-10T19:49:30.397

Link: CVE-2023-30550

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-30550", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-04-12T15:19:33.767Z", "datePublished": "2023-05-04T17:26:13.218Z", "dateUpdated": "2024-08-02T14:28:51.805Z"}, "containers": {"cna": {"title": "IDOR vulnerability exists in metersphere", "problemTypes": [{"descriptions": [{"cweId": "CWE-639", "lang": "en", "description": "CWE-639: Authorization Bypass Through User-Controlled Key", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/metersphere/metersphere/security/advisories/GHSA-j5cq-cpw2-gp2q", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/metersphere/metersphere/security/advisories/GHSA-j5cq-cpw2-gp2q"}, {"name": "https://github.com/metersphere/metersphere/releases/tag/v2.9.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/metersphere/metersphere/releases/tag/v2.9.0"}], "affected": [{"vendor": "metersphere", "product": "metersphere", "versions": [{"version": "< 2.9.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-05-04T17:26:13.218Z"}, "descriptions": [{"lang": "en", "value": "MeterSphere is an open source continuous testing platform, covering functions such as test tracking, interface testing, UI testing, and performance testing. This IDOR vulnerability allows the administrator of a project to modify other projects under the workspace. An attacker can obtain some operating permissions. The issue has been fixed in version 2.9.0."}], "source": {"advisory": "GHSA-j5cq-cpw2-gp2q", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T14:28:51.805Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/metersphere/metersphere/security/advisories/GHSA-j5cq-cpw2-gp2q", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/metersphere/metersphere/security/advisories/GHSA-j5cq-cpw2-gp2q"}, {"name": "https://github.com/metersphere/metersphere/releases/tag/v2.9.0", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/metersphere/metersphere/releases/tag/v2.9.0"}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:metersphere:metersphere:*:*:*:*:*:*:*:*", "matchCriteriaId": "3AAA4FC1-D68F-4981-B337-34526D03AE94", "versionEndExcluding": "2.9.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "MeterSphere is an open source continuous testing platform, covering functions such as test tracking, interface testing, UI testing, and performance testing. This IDOR vulnerability allows the administrator of a project to modify other projects under the workspace. An attacker can obtain some operating permissions. The issue has been fixed in version 2.9.0."}], "id": "CVE-2023-30550", "lastModified": "2023-05-10T19:49:30.397", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 0.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.9, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2023-05-04T18:15:10.150", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/metersphere/metersphere/releases/tag/v2.9.0"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/metersphere/metersphere/security/advisories/GHSA-j5cq-cpw2-gp2q"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-639"}], "source": "security-advisories@github.com", "type": "Secondary"}]}