Improper access control to download file in metersphere
CVE-2023-25573

8.6HIGH

Key Information:

Vendor: Metersphere
Status: Metersphere
Vendor: CVE Published:; 9 March 2023

🔔 Create Metersphere Vulnerability Alert

What is CVE-2023-25573?

Metersphere, an open source continuous testing platform, contains an improper access control vulnerability in the '/api/jmeter/download/files' endpoint. This flaw allows unauthenticated users to download any file accessible to the running process, potentially exposing sensitive data. Affected users should upgrade to versions 1.20.20 LTS or 2.7.1 to mitigate this issue. No workarounds are available.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

metersphere < 1.20.20 lts < 1.20.20 lts

metersphere >= 2.0.0, < 2.7.1 < 2.0.0, 2.7.1

References

https://github.com/metersphere/metersphere/security/advis...

x_refsource_CONFIRM

EPSS Score

93% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

8.6

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Mar 9, 2023
Vulnerability Reserved
Feb 7, 2023

JSON

Metersphere

What is CVE-2023-25573?

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

Affected Version(s)

References

EPSS Score

CVSS V3.1

Timeline

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.