CVE-2023-32699
Summary
| CVE | CVE-2023-32699 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2023-05-30 19:15:00 UTC |
| Updated | 2023-11-07 04:14:00 UTC |
| Description | MeterSphere is an open source continuous testing platform. Version 2.9.1 and prior are vulnerable to denial of service. The `checkUserPassword` method is used to check whether the password provided by the user matches the password saved in the database, and the `CodingUtil.md5` method is used to encrypt the original password with MD5 to ensure that the password will not be saved in plain text when it is stored. If a user submits a very long password when logging in, the system will be forced to execute the long password MD5 encryption process, causing the server CPU and memory to be exhausted, thereby causing a denial of service attack on the server. This issue is fixed in version 2.10.0-lts with a maximum password length. |
Risk And Classification
Problem Types: CWE-770
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Metersphere | Metersphere | All | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| refactor(系统设置): 登录认证信息长度验证 · metersphere/metersphere@c59e381 · GitHub | MISC | github.com | |
| metersphere存在DoS漏洞 · Advisory · metersphere/metersphere · GitHub | MISC | github.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.