Metersphere
CVE-2023-41878
CRITICAL
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionNVD
MeterSphere is a one-stop open source continuous testing platform, covering functions such as test tracking, interface testing, UI testing and performance testing. The Selenium VNC config used in Metersphere is using a weak password by default, attackers can login to vnc and obtain high permissions. This issue has been addressed in version 2.10.7 LTS. Users are advised to upgrade. There are no known workarounds for this vulnerability.
AnalysisAI
MeterSphere is a one-stop open source continuous testing platform, covering functions such as test tracking, interface testing, UI testing and performance testing. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Use of Hard-coded Credentials vulnerability could allow attackers to gain access using credentials embedded in source code.
Technical ContextAI
This vulnerability is classified as Use of Hard-coded Credentials (CWE-798), which allows attackers to gain access using credentials embedded in source code. MeterSphere is a one-stop open source continuous testing platform, covering functions such as test tracking, interface testing, UI testing and performance testing. The Selenium VNC config used in Metersphere is using a weak password by default, attackers can login to vnc and obtain high permissions. This issue has been addressed in version 2.10.7 LTS. Users are advised to upgrade. There are no known workarounds for this vulnerability. Affected products include: Metersphere. Version information: version 2.10.7.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Remove hard-coded credentials, use environment variables or secrets management, rotate exposed credentials immediately.
More in Metersphere
View allMetersphere is an opensource testing framework. Rated critical severity (CVSS 9.8), this vulnerability is remotely explo
Metersphere v1.20.20-lts-79d354a6 is vulnerable to Remote Command Execution. Rated critical severity (CVSS 9.8), this vu
Metersphere is an open source continuous testing platform. Rated high severity (CVSS 8.8), this vulnerability is remotel
MeterSphere is a one-stop open source continuous testing platform, covering test management, interface testing, UI testi
MeterSphere is a one-stop open source continuous testing platform. Rated high severity (CVSS 8.1), this vulnerability is
MeterSphere is an open-source continuous testing platform. Rated high severity (CVSS 7.5), this vulnerability is remotel
metersphere is an open source continuous testing platform. Rated high severity (CVSS 7.5), this vulnerability is remotel
MeterSphere is an open source continuous testing platform. Rated medium severity (CVSS 6.5), this vulnerability is remot
MeterSphere is an open source continuous testing platform. Rated medium severity (CVSS 6.5), this vulnerability is remot
metersphere is an open source continuous testing platform. Rated medium severity (CVSS 6.5), this vulnerability is remot
MeterSphere is an open source continuous testing platform. Rated medium severity (CVSS 6.1), this vulnerability is remot
MeterSphere is a one-stop open source continuous testing platform, covering test management, interface testing, UI testi
Same weakness CWE-798 – Use of Hard-coded Credentials
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today