Metersphere Users Beware – Improper File Access Vulnerability Discovered

CVECVE-2023-25573
CVSScvssV3_1: 8.6
SourceCVE-2023-25573

Metersphere is an open source load testing platform that allows users to run performance and load tests on their applications. Security researchers recently discovered a vulnerability in older versions of Metersphere that could allow unauthorized access to sensitive files.

The vulnerability exists in the Metersphere API endpoint used to download files. This endpoint did not implement proper authentication and authorization checks. As a result, any user could download any file accessible to the Metersphere process, without needing valid credentials.

An attacker could exploit this by directly accessing the vulnerable API endpoint and downloading confidential files like database credentials, source code files or test data. This could lead to data breaches or further attacks on systems.

The good news is that the Metersphere developers have addressed this issue in recent versions. Users are advised to immediately upgrade to Metersphere version 1.20.20 LTS or above to protect their files and applications. Avoiding outdated software and keeping applications updated is one of the best ways to stay protected against vulnerabilities.

If upgrading is not possible, consider restricting network access to the vulnerable API endpoint as a temporary workaround. Also review the types of files accessible to the Metersphere process and tighten permissions if needed. Staying vigilant about application security is important for all software users.

References