CVE-2023-38494 - Vulnerability Details - OpenCVE

MeterSphere is an open-source continuous testing platform. Prior to version 2.10.4 LTS, some interfaces of the Cloud version of MeterSphere do not have configuration permissions, and are sensitively leaked by attackers. Version 2.10.4 LTS contains a patch for this issue.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation poc

Automatable no

Technical Impact partial

Vendors	Products
Metersphere	Metersphere

Configuration 1 [-]

cpe:2.3:a:metersphere:metersphere:*:*:*:*:lts:*:*:*

No data.

References

Link	Providers
https://github.com/metersphere/metersphere/commit/a23f75d93b666901fd148d834df9384f6f24cf28
https://github.com/metersphere/metersphere/security/advisories/GHSA-fjp5-95pv-5253

History

Tue, 08 Oct 2024 18:15:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:metersphere:metersphere::::::::
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-08-04T15:44:44.645Z

Updated: 2024-10-08T18:08:24.671Z

Reserved: 2023-07-18T16:28:12.076Z

Link: CVE-2023-38494

Vulnrichment

Updated: 2024-08-02T17:46:54.992Z

NVD

Status : Modified

Published: 2023-08-04T16:15:10.177

Modified: 2024-11-21T08:13:41.380

Link: CVE-2023-38494

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-38494", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-07-18T16:28:12.076Z", "datePublished": "2023-08-04T15:44:44.645Z", "dateUpdated": "2024-10-08T18:08:24.671Z"}, "containers": {"cna": {"title": "The cloud version of the MeterSphere interface leaks some sensitive data without authentication", "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/metersphere/metersphere/security/advisories/GHSA-fjp5-95pv-5253", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/metersphere/metersphere/security/advisories/GHSA-fjp5-95pv-5253"}, {"name": "https://github.com/metersphere/metersphere/commit/a23f75d93b666901fd148d834df9384f6f24cf28", "tags": ["x_refsource_MISC"], "url": "https://github.com/metersphere/metersphere/commit/a23f75d93b666901fd148d834df9384f6f24cf28"}], "affected": [{"vendor": "metersphere", "product": "metersphere", "versions": [{"version": "< 2.10.4-LTS", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-08-04T15:44:44.645Z"}, "descriptions": [{"lang": "en", "value": "MeterSphere is an open-source continuous testing platform. Prior to version 2.10.4 LTS, some interfaces of the Cloud version of MeterSphere do not have configuration permissions, and are sensitively leaked by attackers. Version 2.10.4 LTS contains a patch for this issue."}], "source": {"advisory": "GHSA-fjp5-95pv-5253", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T17:46:54.992Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/metersphere/metersphere/security/advisories/GHSA-fjp5-95pv-5253", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/metersphere/metersphere/security/advisories/GHSA-fjp5-95pv-5253"}, {"name": "https://github.com/metersphere/metersphere/commit/a23f75d93b666901fd148d834df9384f6f24cf28", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/metersphere/metersphere/commit/a23f75d93b666901fd148d834df9384f6f24cf28"}]}, {"affected": [{"vendor": "metersphere", "product": "metersphere", "cpes": ["cpe:2.3:a:metersphere:metersphere:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "2.10.4-lts", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-10-08T18:07:42.981805Z", "id": "CVE-2023-38494", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-08T18:08:24.671Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/metersphere/metersphere/security/advisories/GHSA-fjp5-95pv-5253", "name": "https://github.com/metersphere/metersphere/security/advisories/GHSA-fjp5-95pv-5253", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/metersphere/metersphere/commit/a23f75d93b666901fd148d834df9384f6f24cf28", "name": "https://github.com/metersphere/metersphere/commit/a23f75d93b666901fd148d834df9384f6f24cf28", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T17:46:54.992Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-38494", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-10-08T18:07:42.981805Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:metersphere:metersphere:*:*:*:*:*:*:*:*"], "vendor": "metersphere", "product": "metersphere", "versions": [{"status": "affected", "version": "0", "lessThan": "2.10.4-lts", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-08T18:08:18.452Z"}}], "cna": {"title": "The cloud version of the MeterSphere interface leaks some sensitive data without authentication", "source": {"advisory": "GHSA-fjp5-95pv-5253", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:H", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "metersphere", "product": "metersphere", "versions": [{"status": "affected", "version": "< 2.10.4-LTS"}]}], "references": [{"url": "https://github.com/metersphere/metersphere/security/advisories/GHSA-fjp5-95pv-5253", "name": "https://github.com/metersphere/metersphere/security/advisories/GHSA-fjp5-95pv-5253", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/metersphere/metersphere/commit/a23f75d93b666901fd148d834df9384f6f24cf28", "name": "https://github.com/metersphere/metersphere/commit/a23f75d93b666901fd148d834df9384f6f24cf28", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "MeterSphere is an open-source continuous testing platform. Prior to version 2.10.4 LTS, some interfaces of the Cloud version of MeterSphere do not have configuration permissions, and are sensitively leaked by attackers. Version 2.10.4 LTS contains a patch for this issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-08-04T15:44:44.645Z"}}}, "cveMetadata": {"cveId": "CVE-2023-38494", "state": "PUBLISHED", "dateUpdated": "2024-10-08T18:08:24.671Z", "dateReserved": "2023-07-18T16:28:12.076Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2023-08-04T15:44:44.645Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:metersphere:metersphere:*:*:*:*:lts:*:*:*", "matchCriteriaId": "34BBA850-D024-4FED-9794-74C62218EF49", "versionEndExcluding": "2.10.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "MeterSphere is an open-source continuous testing platform. Prior to version 2.10.4 LTS, some interfaces of the Cloud version of MeterSphere do not have configuration permissions, and are sensitively leaked by attackers. Version 2.10.4 LTS contains a patch for this issue."}, {"lang": "es", "value": "MeterSphere es una plataforma de pruebas continuas de c\u00f3digo abierto. Antes de la versi\u00f3n 2.10.4 LTS, algunas interfaces de la versi\u00f3n Cloud de MeterSphere no tienen permisos de configuraci\u00f3n, y son filtradas sensiblemente por los atacantes. La versi\u00f3n 2.10.4 LTS contiene un parche para este problema."}], "id": "CVE-2023-38494", "lastModified": "2024-11-21T08:13:41.380", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 4.7, "source": "[email protected]", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "[email protected]", "type": "Primary"}]}, "published": "2023-08-04T16:15:10.177", "references": [{"source": "[email protected]", "tags": ["Patch"], "url": "https://github.com/metersphere/metersphere/commit/a23f75d93b666901fd148d834df9384f6f24cf28"}, {"source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/metersphere/metersphere/security/advisories/GHSA-fjp5-95pv-5253"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/metersphere/metersphere/commit/a23f75d93b666901fd148d834df9384f6f24cf28"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/metersphere/metersphere/security/advisories/GHSA-fjp5-95pv-5253"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "[email protected]", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-862"}], "source": "[email protected]", "type": "Primary"}]}