CVE-2023-41878 - OpenCVE

MeterSphere is a one-stop open source continuous testing platform, covering functions such as test tracking, interface testing, UI testing and performance testing. The Selenium VNC config used in Metersphere is using a weak password by default, attackers can login to vnc and obtain high permissions. This issue has been addressed in version 2.10.7 LTS. Users are advised to upgrade. There are no known workarounds for this vulnerability.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Metersphere	Metersphere

Configuration 1 [-]

cpe:2.3:a:metersphere:metersphere:*:*:*:*:lts:*:*:*

No data.

References

Link	Providers
https://github.com/metersphere/installer/commit/02dd31c0951a225eaad99eda560e3eb91ba3001d
https://github.com/metersphere/metersphere/security/advisories/GHSA-88vv-6rm4-59h9

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-09-26T22:53:27.060Z

Updated: 2024-08-02T19:09:49.297Z

Reserved: 2023-09-04T16:31:48.223Z

Link: CVE-2023-41878

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2023-09-27T15:19:30.860

Modified: 2023-09-30T02:03:50.350

Link: CVE-2023-41878

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-41878", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-09-04T16:31:48.223Z", "datePublished": "2023-09-26T22:53:27.060Z", "dateUpdated": "2024-08-02T19:09:49.297Z"}, "containers": {"cna": {"title": "Weak password of selenium VNC in MeterSphere", "problemTypes": [{"descriptions": [{"cweId": "CWE-798", "lang": "en", "description": "CWE-798: Use of Hard-coded Credentials", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/metersphere/metersphere/security/advisories/GHSA-88vv-6rm4-59h9", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/metersphere/metersphere/security/advisories/GHSA-88vv-6rm4-59h9"}, {"name": "https://github.com/metersphere/installer/commit/02dd31c0951a225eaad99eda560e3eb91ba3001d", "tags": ["x_refsource_MISC"], "url": "https://github.com/metersphere/installer/commit/02dd31c0951a225eaad99eda560e3eb91ba3001d"}], "affected": [{"vendor": "metersphere", "product": "metersphere", "versions": [{"version": "< 2.10.7 LTS", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-09-26T22:53:27.060Z"}, "descriptions": [{"lang": "en", "value": "MeterSphere is a one-stop open source continuous testing platform, covering functions such as test tracking, interface testing, UI testing and performance testing. The Selenium VNC config used in Metersphere is using a weak password by default, attackers can login to vnc and obtain high permissions. This issue has been addressed in version 2.10.7 LTS. Users are advised to upgrade. There are no known workarounds for this vulnerability."}], "source": {"advisory": "GHSA-88vv-6rm4-59h9", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T19:09:49.297Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/metersphere/metersphere/security/advisories/GHSA-88vv-6rm4-59h9", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/metersphere/metersphere/security/advisories/GHSA-88vv-6rm4-59h9"}, {"name": "https://github.com/metersphere/installer/commit/02dd31c0951a225eaad99eda560e3eb91ba3001d", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/metersphere/installer/commit/02dd31c0951a225eaad99eda560e3eb91ba3001d"}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:metersphere:metersphere:*:*:*:*:lts:*:*:*", "matchCriteriaId": "AC0CC671-BD17-418A-B9A2-14F967CEBE50", "versionEndExcluding": "2.10.7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "MeterSphere is a one-stop open source continuous testing platform, covering functions such as test tracking, interface testing, UI testing and performance testing. The Selenium VNC config used in Metersphere is using a weak password by default, attackers can login to vnc and obtain high permissions. This issue has been addressed in version 2.10.7 LTS. Users are advised to upgrade. There are no known workarounds for this vulnerability."}, {"lang": "es", "value": "MeterSphere es una plataforma integral de pruebas continuas de c\u00f3digo abierto que cubre funciones como seguimiento de pruebas, pruebas de interfaz, pruebas de UI y pruebas de rendimiento. La configuraci\u00f3n de Selenium VNC utilizada en Metersphere utiliza una contrase\u00f1a d\u00e9bil de forma predeterminada, los atacantes pueden iniciar sesi\u00f3n en vnc y obtener permisos elevados. Este problema se solucion\u00f3 en la versi\u00f3n 2.10.7 LTS. Se recomienda a los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad."}], "id": "CVE-2023-41878", "lastModified": "2023-09-30T02:03:50.350", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 2.5, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2023-09-27T15:19:30.860", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/metersphere/installer/commit/02dd31c0951a225eaad99eda560e3eb91ba3001d"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/metersphere/metersphere/security/advisories/GHSA-88vv-6rm4-59h9"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-798"}], "source": "security-advisories@github.com", "type": "Primary"}]}