CVE-2023-41878

Weak password of selenium VNC in MeterSphere

Description

MeterSphere is a one-stop open source continuous testing platform, covering functions such as test tracking, interface testing, UI testing and performance testing. The Selenium VNC config used in Metersphere is using a weak password by default, attackers can login to vnc and obtain high permissions. This issue has been addressed in version 2.10.7 LTS. Users are advised to upgrade. There are no known workarounds for this vulnerability.

References

Link	Tags
https://github.com/metersphere/metersphere/security/advisories/GHSA-88vv-6rm4-59h9	third party advisory patch
https://github.com/metersphere/installer/commit/02dd31c0951a225eaad99eda560e3eb91ba3001d	patch

Frequently Asked Questions

What is the severity of CVE-2023-41878?: CVE-2023-41878 has been scored as a medium severity vulnerability.
How to fix CVE-2023-41878?: To fix CVE-2023-41878, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2023-41878 being actively exploited in the wild?: As for now, there are no information to confirm that CVE-2023-41878 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2023-41878?: CVE-2023-41878 affects metersphere metersphere.

This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.

Description

Category

CWE-798 – Use of Hard-coded Credentials

References

Frequently Asked Questions