CVE-2023-50267 - OpenCVE

MeterSphere is a one-stop open source continuous testing platform. Prior to 2.10.10-lts, the authenticated attackers can update resources which don't belong to him if the resource ID is known. This issue if fixed in 2.10.10-lts. There are no known workarounds.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Metersphere	Metersphere

Configuration 1 [-]

cpe:2.3:a:metersphere:metersphere:*:*:*:*:lts:*:*:*

No data.

References

Link	Providers
https://github.com/metersphere/metersphere/security/advisories/GHSA-rcp4-c5p2-58v9

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-12-28T15:13:34.769Z

Updated: 2024-09-09T17:57:40.374Z

Reserved: 2023-12-05T20:42:59.380Z

Link: CVE-2023-50267

Vulnrichment

Updated: 2024-08-02T22:16:46.217Z

NVD

Status : Analyzed

Published: 2023-12-28T16:16:01.650

Modified: 2024-01-04T19:18:35.690

Link: CVE-2023-50267

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-50267", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-12-05T20:42:59.380Z", "datePublished": "2023-12-28T15:13:34.769Z", "dateUpdated": "2024-09-09T17:57:40.374Z"}, "containers": {"cna": {"title": "MeterSphere horizontal privilege escalation vulnerability of resources in project scope.", "problemTypes": [{"descriptions": [{"cweId": "CWE-269", "lang": "en", "description": "CWE-269: Improper Privilege Management", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-639", "lang": "en", "description": "CWE-639: Authorization Bypass Through User-Controlled Key", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/metersphere/metersphere/security/advisories/GHSA-rcp4-c5p2-58v9", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/metersphere/metersphere/security/advisories/GHSA-rcp4-c5p2-58v9"}], "affected": [{"vendor": "metersphere", "product": "metersphere", "versions": [{"version": "< 2.10.10-lts", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-12-28T15:13:34.769Z"}, "descriptions": [{"lang": "en", "value": "MeterSphere is a one-stop open source continuous testing platform. Prior to 2.10.10-lts, the authenticated attackers can update resources which don't belong to him if the resource ID is known. This issue if fixed in 2.10.10-lts. There are no known workarounds."}], "source": {"advisory": "GHSA-rcp4-c5p2-58v9", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T22:16:46.217Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/metersphere/metersphere/security/advisories/GHSA-rcp4-c5p2-58v9", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/metersphere/metersphere/security/advisories/GHSA-rcp4-c5p2-58v9"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-03-04T18:29:52.695478Z", "id": "CVE-2023-50267", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-09T17:57:40.374Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/metersphere/metersphere/security/advisories/GHSA-rcp4-c5p2-58v9", "name": "https://github.com/metersphere/metersphere/security/advisories/GHSA-rcp4-c5p2-58v9", "tags": ["x_refsource_CONFIRM", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T22:16:46.217Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-50267", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-03-04T18:29:52.695478Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-09T17:57:36.269Z"}}], "cna": {"title": "MeterSphere horizontal privilege escalation vulnerability of resources in project scope.", "source": {"advisory": "GHSA-rcp4-c5p2-58v9", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "metersphere", "product": "metersphere", "versions": [{"status": "affected", "version": "< 2.10.10-lts"}]}], "references": [{"url": "https://github.com/metersphere/metersphere/security/advisories/GHSA-rcp4-c5p2-58v9", "name": "https://github.com/metersphere/metersphere/security/advisories/GHSA-rcp4-c5p2-58v9", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "MeterSphere is a one-stop open source continuous testing platform. Prior to 2.10.10-lts, the authenticated attackers can update resources which don't belong to him if the resource ID is known. This issue if fixed in 2.10.10-lts. There are no known workarounds."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-269", "description": "CWE-269: Improper Privilege Management"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639: Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-12-28T15:13:34.769Z"}}}, "cveMetadata": {"cveId": "CVE-2023-50267", "state": "PUBLISHED", "dateUpdated": "2024-09-09T17:57:40.374Z", "dateReserved": "2023-12-05T20:42:59.380Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2023-12-28T15:13:34.769Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:metersphere:metersphere:*:*:*:*:lts:*:*:*", "matchCriteriaId": "BA682301-E183-4BFE-9B56-5B3AC995997F", "versionEndExcluding": "2.10.10", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "MeterSphere is a one-stop open source continuous testing platform. Prior to 2.10.10-lts, the authenticated attackers can update resources which don't belong to him if the resource ID is known. This issue if fixed in 2.10.10-lts. There are no known workarounds."}, {"lang": "es", "value": "MeterSphere es una plataforma integral de pruebas continuas de c\u00f3digo abierto. Antes de 2.10.10-lts, los atacantes autenticados pueden actualizar recursos que no le pertenecen si conocen el ID del recurso. Este problema se solucion\u00f3 en 2.10.10-lts. No se conocen workarounds. "}], "id": "CVE-2023-50267", "lastModified": "2024-01-04T19:18:35.690", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2023-12-28T16:16:01.650", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/metersphere/metersphere/security/advisories/GHSA-rcp4-c5p2-58v9"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-269"}, {"lang": "en", "value": "CWE-639"}], "source": "security-advisories@github.com", "type": "Secondary"}]}