Vulnerability Details : CVE-2023-25573
Potential exploit
metersphere is an open source continuous testing platform. In affected versions an improper access control vulnerability exists in `/api/jmeter/download/files`, which allows any user to download any file without authentication. This issue may expose all files available to the running process. This issue has been addressed in version 1.20.20 lts and 2.7.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Products affected by CVE-2023-25573
- cpe:2.3:a:metersphere:metersphere:*:*:*:*:*:*:*:*
- cpe:2.3:a:metersphere:metersphere:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-25573
91.91%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 100 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-25573
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
3.9
|
3.6
|
NIST | |
|
8.6
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N |
3.9
|
4.0
|
GitHub, Inc. |
CWE ids for CVE-2023-25573
-
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.Assigned by: security-advisories@github.com (Primary)
References for CVE-2023-25573
-
https://github.com/metersphere/metersphere/security/advisories/GHSA-mcwr-j9vm-5g8h
Improper access control to download file · Advisory · metersphere/metersphere · GitHubExploit;Third Party Advisory
Jump to