CVE-2023-32699

Published: May 30, 2023

Modified: Jan 10, 2025

PUBLISHED

CVSS v3.1

6.5

MEDIUM

Description

MeterSphere is an open source continuous testing platform. Version 2.9.1 and prior are vulnerable to denial of service. The `checkUserPassword` method is used to check whether the password provided by the user matches the password saved in the database, and the `CodingUtil.md5` method is used to encrypt the original password with MD5 to ensure that the password will not be saved in plain text when it is stored. If a user submits a very long password when logging in, the system will be forced to execute the long password MD5 encryption process, causing the server CPU and memory to be exhausted, thereby causing a denial of service attack on the server. This issue is fixed in version 2.10.0-lts with a maximum password length.

Vendor	Product	Versions
metersphere	metersphere	affected `< 2.10`

Weaknesses (CWE)

CWE-770

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

References

https://github.com/metersphere/metersphere/security/advisories/GHSA-qffq-8gf8-mhq7

x_refsource_CONFIRM

https://github.com/metersphere/metersphere/commit/c59e381d368990214813085a1a4877c5ef865411

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2023-32699

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References