CVE-2023-25573
published 2023-03-09CVE-2023-25573: metersphere is an open source continuous testing platform. In affected versions an improper access control vulnerability exists in…
PriorityP183high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
49.85%
98.8th percentile
metersphere is an open source continuous testing platform. In affected versions an improper access control vulnerability exists in `/api/jmeter/download/files`, which allows any user to download any file without authentication. This issue may expose all files available to the running process. This issue has been addressed in version 1.20.20 lts and 2.7.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| metersphere | metersphere | < 1.20.20 lts | 1.20.20 lts |
| metersphere | metersphere | < 1.20.19 | 1.20.19 |
| metersphere | metersphere | — | — |
| metersphere | metersphere | 2.0.0 – 2.6.2 | — |
Detection & IOCsextracted from sources · hover to see the quote
commandPOST /api/jmeter/download/files HTTP/1.1
Content-Type: application/json
{"reportId":"{{str}}","bodyFiles":[{"id":"{{rand}}","name":"/etc/passwd"}]}
othershodan: http.html:"metersphere"
- →Detect exploitation attempts by monitoring POST requests to /api/jmeter/download/files without authentication headers; the request body will contain a JSON payload with a 'bodyFiles' array where 'name' field contains an arbitrary file path (e.g., /etc/passwd).
- →Successful exploitation returns HTTP 200 with Content-Type 'application/octet-stream' and a Content-Disposition header containing 'filename="<reportId>.zip"', indicating a file archive was served.
- →Use FOFA/Shodan to identify exposed Metersphere instances as potential targets: search for body containing 'Metersphere'/'metersphere' or title 'metersphere'.
- ·The vulnerability is present in Metersphere versions prior to 1.20.20 LTS and 2.7.1. Instances running patched versions are not affected. ↗
- ·The endpoint requires no authentication (PR:N, UI:N per CVSS), meaning any unauthenticated network request can trigger the file read. Detection rules should not filter on authenticated sessions. ↗
- ·The EPSS score is 0.93603 (99.836th percentile), indicating this vulnerability is very likely being actively exploited in the wild.
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vulncheck8.6HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
Metersphere - Arbitrary File Read
nuclei·CVSS 7.5
CVE-2023-25573 [HIGH] Metersphere - Arbitrary File Read
Metersphere - Arbitrary File Read
Metersphere is an open source continuous testing platform. In affected versions an improper access control vulnerability exists in `/api/jmeter/download/files`, which allows any user to download any file without authentication. This issue may expose all files available to the running process. This issue has been addressed in version 1.20.20 lts and 2.7.1
Template:
id: CVE-2023-25573
info:
name: Metersphere - Arbitrary File Read
author: DhiyaneshDK
severity: high
description: |
Metersphere is an open source continuous testing platform. In affected versions an improper access control vulnerability exists in `/api/jmeter/download/files`, which allows any user to download any file without authentication. This issue may expose all files available to the run
No writeups or analysis indexed.
2023-03-09
Published
Exploited in the wild