CVE-2023-25573

Published Mar 9, 2023

Last updated 2 years ago

Overview

Description: metersphere is an open source continuous testing platform. In affected versions an improper access control vulnerability exists in `/api/jmeter/download/files`, which allows any user to download any file without authentication. This issue may expose all files available to the running process. This issue has been addressed in version 1.20.20 lts and 2.7.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Source: security-advisories@github.com
NVD status: Analyzed

Hype score: Not currently trending

Risk scores

CVSS 3.1

Type: Primary
Base score: 7.5
Impact score: 3.6
Exploitability score: 3.9
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Severity: HIGH

Weaknesses

security-advisories@github.com: CWE-862

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:metersphere:metersphere:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "E2A3BB9F-DE19-41DC-8982-4DA6A494A3EA",
            "versionEndExcluding": "1.20.19"
          },
          {
            "criteria": "cpe:2.3:a:metersphere:metersphere:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "3BA3266B-79B5-47A5-8782-E85441E5F42E",
            "versionEndIncluding": "2.6.2",
            "versionStartIncluding": "2.0.0"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]

Overview

Social media

Risk scores

CVSS 3.1

Weaknesses

Configurations

References