CVE-2023-38494 - OpenCVE

MeterSphere is an open-source continuous testing platform. Prior to version 2.10.4 LTS, some interfaces of the Cloud version of MeterSphere do not have configuration permissions, and are sensitively leaked by attackers. Version 2.10.4 LTS contains a patch for this issue.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Metersphere	Metersphere

Configuration 1 [-]

cpe:2.3:a:metersphere:metersphere:*:*:*:*:lts:*:*:*

No data.

References

Link	Providers
https://github.com/metersphere/metersphere/commit/a23f75d93b666901fd148d834df9384f6f24cf28
https://github.com/metersphere/metersphere/security/advisories/GHSA-fjp5-95pv-5253

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-08-04T15:44:44.645Z

Updated: 2024-08-02T17:46:54.992Z

Reserved: 2023-07-18T16:28:12.076Z

Link: CVE-2023-38494

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2023-08-04T16:15:10.177

Modified: 2023-08-08T20:24:08.943

Link: CVE-2023-38494

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-38494", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-07-18T16:28:12.076Z", "datePublished": "2023-08-04T15:44:44.645Z", "dateUpdated": "2024-08-02T17:46:54.992Z"}, "containers": {"cna": {"title": "The cloud version of the MeterSphere interface leaks some sensitive data without authentication", "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/metersphere/metersphere/security/advisories/GHSA-fjp5-95pv-5253", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/metersphere/metersphere/security/advisories/GHSA-fjp5-95pv-5253"}, {"name": "https://github.com/metersphere/metersphere/commit/a23f75d93b666901fd148d834df9384f6f24cf28", "tags": ["x_refsource_MISC"], "url": "https://github.com/metersphere/metersphere/commit/a23f75d93b666901fd148d834df9384f6f24cf28"}], "affected": [{"vendor": "metersphere", "product": "metersphere", "versions": [{"version": "< 2.10.4-LTS", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-08-04T15:44:44.645Z"}, "descriptions": [{"lang": "en", "value": "MeterSphere is an open-source continuous testing platform. Prior to version 2.10.4 LTS, some interfaces of the Cloud version of MeterSphere do not have configuration permissions, and are sensitively leaked by attackers. Version 2.10.4 LTS contains a patch for this issue."}], "source": {"advisory": "GHSA-fjp5-95pv-5253", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T17:46:54.992Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/metersphere/metersphere/security/advisories/GHSA-fjp5-95pv-5253", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/metersphere/metersphere/security/advisories/GHSA-fjp5-95pv-5253"}, {"name": "https://github.com/metersphere/metersphere/commit/a23f75d93b666901fd148d834df9384f6f24cf28", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/metersphere/metersphere/commit/a23f75d93b666901fd148d834df9384f6f24cf28"}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:metersphere:metersphere:*:*:*:*:lts:*:*:*", "matchCriteriaId": "34BBA850-D024-4FED-9794-74C62218EF49", "versionEndExcluding": "2.10.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "MeterSphere is an open-source continuous testing platform. Prior to version 2.10.4 LTS, some interfaces of the Cloud version of MeterSphere do not have configuration permissions, and are sensitively leaked by attackers. Version 2.10.4 LTS contains a patch for this issue."}, {"lang": "es", "value": "MeterSphere es una plataforma de pruebas continuas de c\u00f3digo abierto. Antes de la versi\u00f3n 2.10.4 LTS, algunas interfaces de la versi\u00f3n Cloud de MeterSphere no tienen permisos de configuraci\u00f3n, y son filtradas sensiblemente por los atacantes. La versi\u00f3n 2.10.4 LTS contiene un parche para este problema."}], "id": "CVE-2023-38494", "lastModified": "2023-08-08T20:24:08.943", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 4.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2023-08-04T16:15:10.177", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/metersphere/metersphere/commit/a23f75d93b666901fd148d834df9384f6f24cf28"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/metersphere/metersphere/security/advisories/GHSA-fjp5-95pv-5253"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-200"}], "source": "security-advisories@github.com", "type": "Secondary"}]}