PT-2023-20172 · Unknown · Metersphere

Superxiaoxiong

Publicado

2023-03-09

Atualizado

2023-03-15

CVE-2023-25573

CVSS v3.1

8.6

Alta

Vetor

AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions metersphere versions prior to 1.20.20 lts metersphere versions prior to 2.7.1

Description metersphere is an open source continuous testing platform. An improper access control issue exists in "/api/jmeter/download/files", which allows any user to download any file without authentication. This may expose all files available to the running process.

Recommendations For versions prior to 1.20.20 lts, upgrade to version 1.20.20 lts or later. For versions prior to 2.7.1, upgrade to version 2.7.1 or later. As a temporary workaround, consider restricting access to the "/api/jmeter/download/files" endpoint until a patch is available.

Exploit

Correção

Missing Authorization

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-862

Identificadores relacionados

CVE-2023-25573

GHSA-MCWR-J9VM-5G8H

Produtos afetados

Metersphere

PT-2023-20172 · Unknown · Metersphere

CVE-2023-25573

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 7