CVE-2023-41878 - Vulnerability Details - OpenCVE

MeterSphere is a one-stop open source continuous testing platform, covering functions such as test tracking, interface testing, UI testing and performance testing. The Selenium VNC config used in Metersphere is using a weak password by default, attackers can login to vnc and obtain high permissions. This issue has been addressed in version 2.10.7 LTS. Users are advised to upgrade. There are no known workarounds for this vulnerability.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00139.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Metersphere	Metersphere

Configuration 1 [-]

cpe:2.3:a:metersphere:metersphere:*:*:*:*:lts:*:*:*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2023-46368	MeterSphere is a one-stop open source continuous testing platform, covering functions such as test tracking, interface testing, UI testing and performance testing. The Selenium VNC config used in Metersphere is using a weak password by default, attackers can login to vnc and obtain high permissions. This issue has been addressed in version 2.10.7 LTS. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://github.com/metersphere/installer/commit/02dd31c0951a225eaad99eda560e3eb91ba3001d
https://github.com/metersphere/metersphere/security/advisories/GHSA-88vv-6rm4-59h9

History

Mon, 23 Sep 2024 20:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-09-26T22:53:27.060Z

Updated: 2024-09-23T19:26:22.214Z

Reserved: 2023-09-04T16:31:48.223Z

Link: CVE-2023-41878

Vulnrichment

Updated: 2024-08-02T19:09:49.297Z

NVD

Status : Modified

Published: 2023-09-27T15:19:30.860

Modified: 2024-11-21T08:21:50.207

Link: CVE-2023-41878

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-41878", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-09-04T16:31:48.223Z", "datePublished": "2023-09-26T22:53:27.060Z", "dateUpdated": "2024-09-23T19:26:22.214Z"}, "containers": {"cna": {"title": "Weak password of selenium VNC in MeterSphere", "problemTypes": [{"descriptions": [{"cweId": "CWE-798", "lang": "en", "description": "CWE-798: Use of Hard-coded Credentials", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/metersphere/metersphere/security/advisories/GHSA-88vv-6rm4-59h9", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/metersphere/metersphere/security/advisories/GHSA-88vv-6rm4-59h9"}, {"name": "https://github.com/metersphere/installer/commit/02dd31c0951a225eaad99eda560e3eb91ba3001d", "tags": ["x_refsource_MISC"], "url": "https://github.com/metersphere/installer/commit/02dd31c0951a225eaad99eda560e3eb91ba3001d"}], "affected": [{"vendor": "metersphere", "product": "metersphere", "versions": [{"version": "< 2.10.7 LTS", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-09-26T22:53:27.060Z"}, "descriptions": [{"lang": "en", "value": "MeterSphere is a one-stop open source continuous testing platform, covering functions such as test tracking, interface testing, UI testing and performance testing. The Selenium VNC config used in Metersphere is using a weak password by default, attackers can login to vnc and obtain high permissions. This issue has been addressed in version 2.10.7 LTS. Users are advised to upgrade. There are no known workarounds for this vulnerability."}], "source": {"advisory": "GHSA-88vv-6rm4-59h9", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T19:09:49.297Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/metersphere/metersphere/security/advisories/GHSA-88vv-6rm4-59h9", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/metersphere/metersphere/security/advisories/GHSA-88vv-6rm4-59h9"}, {"name": "https://github.com/metersphere/installer/commit/02dd31c0951a225eaad99eda560e3eb91ba3001d", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/metersphere/installer/commit/02dd31c0951a225eaad99eda560e3eb91ba3001d"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-23T18:53:44.637924Z", "id": "CVE-2023-41878", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-23T19:26:22.214Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/metersphere/metersphere/security/advisories/GHSA-88vv-6rm4-59h9", "name": "https://github.com/metersphere/metersphere/security/advisories/GHSA-88vv-6rm4-59h9", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/metersphere/installer/commit/02dd31c0951a225eaad99eda560e3eb91ba3001d", "name": "https://github.com/metersphere/installer/commit/02dd31c0951a225eaad99eda560e3eb91ba3001d", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T19:09:49.297Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-41878", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-23T18:53:44.637924Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-23T19:26:13.802Z"}}], "cna": {"title": "Weak password of selenium VNC in MeterSphere", "source": {"advisory": "GHSA-88vv-6rm4-59h9", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.6, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "metersphere", "product": "metersphere", "versions": [{"status": "affected", "version": "< 2.10.7 LTS"}]}], "references": [{"url": "https://github.com/metersphere/metersphere/security/advisories/GHSA-88vv-6rm4-59h9", "name": "https://github.com/metersphere/metersphere/security/advisories/GHSA-88vv-6rm4-59h9", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/metersphere/installer/commit/02dd31c0951a225eaad99eda560e3eb91ba3001d", "name": "https://github.com/metersphere/installer/commit/02dd31c0951a225eaad99eda560e3eb91ba3001d", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "MeterSphere is a one-stop open source continuous testing platform, covering functions such as test tracking, interface testing, UI testing and performance testing. The Selenium VNC config used in Metersphere is using a weak password by default, attackers can login to vnc and obtain high permissions. This issue has been addressed in version 2.10.7 LTS. Users are advised to upgrade. There are no known workarounds for this vulnerability."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-798", "description": "CWE-798: Use of Hard-coded Credentials"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-09-26T22:53:27.060Z"}}}, "cveMetadata": {"cveId": "CVE-2023-41878", "state": "PUBLISHED", "dateUpdated": "2024-09-23T19:26:22.214Z", "dateReserved": "2023-09-04T16:31:48.223Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2023-09-26T22:53:27.060Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:metersphere:metersphere:*:*:*:*:lts:*:*:*", "matchCriteriaId": "AC0CC671-BD17-418A-B9A2-14F967CEBE50", "versionEndExcluding": "2.10.7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "MeterSphere is a one-stop open source continuous testing platform, covering functions such as test tracking, interface testing, UI testing and performance testing. The Selenium VNC config used in Metersphere is using a weak password by default, attackers can login to vnc and obtain high permissions. This issue has been addressed in version 2.10.7 LTS. Users are advised to upgrade. There are no known workarounds for this vulnerability."}, {"lang": "es", "value": "MeterSphere es una plataforma integral de pruebas continuas de c\u00f3digo abierto que cubre funciones como seguimiento de pruebas, pruebas de interfaz, pruebas de UI y pruebas de rendimiento. La configuraci\u00f3n de Selenium VNC utilizada en Metersphere utiliza una contrase\u00f1a d\u00e9bil de forma predeterminada, los atacantes pueden iniciar sesi\u00f3n en vnc y obtener permisos elevados. Este problema se solucion\u00f3 en la versi\u00f3n 2.10.7 LTS. Se recomienda a los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad."}], "id": "CVE-2023-41878", "lastModified": "2024-11-21T08:21:50.207", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 2.5, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-09-27T15:19:30.860", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/metersphere/installer/commit/02dd31c0951a225eaad99eda560e3eb91ba3001d"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/metersphere/metersphere/security/advisories/GHSA-88vv-6rm4-59h9"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/metersphere/installer/commit/02dd31c0951a225eaad99eda560e3eb91ba3001d"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/metersphere/metersphere/security/advisories/GHSA-88vv-6rm4-59h9"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-798"}], "source": "security-advisories@github.com", "type": "Secondary"}]}