Vulnerability Description
MeterSphere is an open source continuous testing platform. Version 2.9.1 and prior are vulnerable to denial of service. The `checkUserPassword` method is used to check whether the password provided by the user matches the password saved in the database, and the `CodingUtil.md5` method is used to encrypt the original password with MD5 to ensure that the password will not be saved in plain text when it is stored. If a user submits a very long password when logging in, the system will be forced to execute the long password MD5 encryption process, causing the server CPU and memory to be exhausted, thereby causing a denial of service attack on the server. This issue is fixed in version 2.10.0-lts with a maximum password length.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Metersphere | Metersphere | <= 2.9.1 |
Related Weaknesses (CWE)
References
- https://github.com/metersphere/metersphere/commit/c59e381d368990214813085a1a4877Patch
- https://github.com/metersphere/metersphere/security/advisories/GHSA-qffq-8gf8-mhExploitVendor Advisory
- https://github.com/metersphere/metersphere/commit/c59e381d368990214813085a1a4877Patch
- https://github.com/metersphere/metersphere/security/advisories/GHSA-qffq-8gf8-mhExploitVendor Advisory
FAQ
What is CVE-2023-32699?
CVE-2023-32699 is a vulnerability with a CVSS score of 6.5 (MEDIUM). MeterSphere is an open source continuous testing platform. Version 2.9.1 and prior are vulnerable to denial of service. The `checkUserPassword` method is used to check whether the password provided b...
How severe is CVE-2023-32699?
CVE-2023-32699 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-32699?
Check the references section above for vendor advisories and patch information. Affected products include: Metersphere Metersphere.