PT-2023-23972 · Unknown · Metersphere

Fit2-Zhao

Published

2023-05-30

Updated

2023-06-06

CVE-2023-32699

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions MeterSphere versions 2.9.1 and prior

Description MeterSphere is an open source continuous testing platform. The issue arises when a user submits a very long password during login, forcing the system to execute the long password MD5 encryption process using the checkUserPassword method and the CodingUtil.md5 method. This causes the server CPU and memory to be exhausted, leading to a denial of service attack on the server.

Recommendations For versions 2.9.1 and prior, update to version 2.10.0-lts, which includes a fix with a maximum password length to prevent this issue. As a temporary workaround, consider restricting the password length to prevent excessive MD5 encryption processes.

Exploit

Fix

Allocation of Resources Without Limits

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-770

Related Identifiers

CVE-2023-32699

GHSA-QFFQ-8GF8-MHQ7

Affected Products

Metersphere

PT-2023-23972 · Unknown · Metersphere

CVE-2023-32699

Weakness Enumeration

Related Identifiers

Affected Products

References · 6