CVE-2023-25573

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2023-25573
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-25573.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2023-25573
Aliases
  • GHSA-mcwr-j9vm-5g8h
Published
2023-03-09T16:33:40.592Z
Modified
2025-11-29T14:02:44.058414Z
Severity
  • 8.6 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N CVSS Calculator
Summary
Improper access control to download file in metersphere
Details

metersphere is an open source continuous testing platform. In affected versions an improper access control vulnerability exists in /api/jmeter/download/files, which allows any user to download any file without authentication. This issue may expose all files available to the running process. This issue has been addressed in version 1.20.20 lts and 2.7.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/25xxx/CVE-2023-25573.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-862"
    ]
}
References

Affected packages

Git / github.com/metersphere/metersphere

Affected ranges

Type
GIT
Repo
https://github.com/metersphere/metersphere
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
67a8e1378f5a784d7c35f2298d341c7ce1c2c30e
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.20.20lts"
        }
    ]
}
Type
GIT
Repo
https://github.com/metersphere/metersphere
Events
Introduced
81da75b617d8547eafc3e6c39ca4a37623f69004
Fixed
9947cfcf9788ddf4e01e61b55b6477c90f1a8f01
Database specific 
{
    "versions": [
        {
            "introduced": "2.0.0"
        },
        {
            "fixed": "2.7.1"
        }
    ]
}

Affected versions

v1.*
v1.0.0
v1.0.1
v1.0.2
v1.0.3
v1.1.0
v1.1.1
v1.1.2
v1.2.0
v1.2.1
v1.20.0-lts
v1.20.1-lts
v1.20.10-lts
v1.20.11-lts
v1.20.12-lts
v1.20.13-lts
v1.20.14-lts
v1.20.15-lts
v1.20.16-lts
v1.20.17-lts
v1.20.18-lts
v1.20.19-lts
v1.20.2-lts
v1.20.3-lts
v1.20.4-lts
v1.20.5-lts
v1.20.6-lts
v1.20.7-lts
v1.20.8-lts
v1.20.9-lts
v1.3.0
v1.3.1
v1.4.0
v1.4.1
v1.4.2
v1.4.3
v1.5.0
v1.5.1
v1.6.0
v1.6.1
v1.6.2
v1.7.0
v1.7.1
v1.7.2
v1.7.3
v1.8.0
v1.8.1
v1.8.2

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-25573.json"