Headline
CVE-2023-41878: Weak password of selenium VNC
MeterSphere is a one-stop open source continuous testing platform, covering functions such as test tracking, interface testing, UI testing and performance testing. The Selenium VNC config used in Metersphere is using a weak password by default, attackers can login to vnc and obtain high permissions. This issue has been addressed in version 2.10.7 LTS. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Moderate
fit2-zhao published GHSA-88vv-6rm4-59h9
Sep 26, 2023
Package
No package listed
Affected versions
<= 2.10.6 LTS
Patched versions
>= 2.10.7 LTS
Description
Description
Selenium VNC is using a weak password by default, attackers can login to vnc and obtain high permissions.
Solution
Upgrade selenium image to 4.10.0 and disable VNC by default.
System administrator can enable VNC manually, run VNC in view-only mode and set a complex password.
See:
metersphere/installer@35598ac
metersphere/installer@02dd31c
Severity
CVSS base metrics
User interaction
Required
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L