CVE-2023-38494

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2023-38494
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-38494.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2023-38494
Aliases
  • GHSA-fjp5-95pv-5253
Published
2023-08-04T15:44:44.645Z
Modified
2025-12-04T23:59:23.765112Z
Severity
  • 5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:H CVSS Calculator
Summary
The cloud version of the MeterSphere interface leaks some sensitive data without authentication
Details

MeterSphere is an open-source continuous testing platform. Prior to version 2.10.4 LTS, some interfaces of the Cloud version of MeterSphere do not have configuration permissions, and are sensitively leaked by attackers. Version 2.10.4 LTS contains a patch for this issue.

Database specific 
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-200"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/38xxx/CVE-2023-38494.json"
}
References

Affected packages

Git / github.com/metersphere/metersphere

Affected ranges

Type
GIT
Repo
https://github.com/metersphere/metersphere
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
a23f75d93b666901fd148d834df9384f6f24cf28

Affected versions

v1.*

v1.0.0
v1.0.1
v1.0.2
v1.0.3
v1.1.0
v1.1.1
v1.1.2
v1.2.0
v1.2.1
v1.3.0
v1.3.1
v1.4.0
v1.4.1
v1.4.2
v1.4.3
v1.5.0
v1.5.1
v1.6.0
v1.6.1
v1.6.2
v1.7.0
v1.7.1
v1.7.2
v1.7.3
v1.8.0
v1.8.1
v1.8.2

v2.*

v2.10.0-lts
v2.10.1-lts
v2.10.2-lts
v2.10.3-lts

Database specific

vanir_signatures

[
    {
        "digest": {
            "function_hash": "321072344534009687334059131527906436984",
            "length": 143.0
        },
        "signature_type": "Function",
        "deprecated": false,
        "signature_version": "v1",
        "id": "CVE-2023-38494-43b0579f",
        "target": {
            "file": "framework/sdk-parent/sdk/src/main/java/io/metersphere/controller/BaseUserController.java",
            "function": "getProjectMemberListAll"
        },
        "source": "https://github.com/metersphere/metersphere/commit/a23f75d93b666901fd148d834df9384f6f24cf28"
    },
    {
        "digest": {
            "function_hash": "56142778020650762036795352833164388160",
            "length": 148.0
        },
        "signature_type": "Function",
        "deprecated": false,
        "signature_version": "v1",
        "id": "CVE-2023-38494-5627d37f",
        "target": {
            "file": "framework/sdk-parent/sdk/src/main/java/io/metersphere/controller/BaseUserController.java",
            "function": "getProjectMembers"
        },
        "source": "https://github.com/metersphere/metersphere/commit/a23f75d93b666901fd148d834df9384f6f24cf28"
    },
    {
        "digest": {
            "line_hashes": [
                "299980170416247527889914439101680983140",
                "308816979517240046159463966203953235909",
                "226549391367527013080182466347227261108",
                "81142875458412365327764034967231590354",
                "195559599403108707515881388943902405333",
                "235750246860127352689065752221446561278",
                "203574870392431886742255083398460550777",
                "69997268153738165927594549837443175404",
                "252959569899027391946901296217881663875",
                "323296517117721463244725973440539486304",
                "304823422256066523979117933372125732614",
                "327551624965680096830322938795422806548",
                "254642413412494210912767973011575551023",
                "118955417403764983895631277246602407867",
                "179999093263277208761601551986249564537",
                "211760182657427842160133257865343133659",
                "87532362932385745141363323312436191019",
                "213173329002167782171308048926900339276",
                "131934604689345082363098561998944572727",
                "105809858135683885160517078317546918303",
                "180345195576557774908162672391885912889",
                "203858655758301823539166828700370769433",
                "44488315192965019273560009411969762619",
                "227929301342441068615211712716384321580",
                "85498111060090562979125220273531454184"
            ],
            "threshold": 0.9
        },
        "signature_type": "Line",
        "deprecated": false,
        "signature_version": "v1",
        "id": "CVE-2023-38494-672d7fe7",
        "target": {
            "file": "framework/sdk-parent/sdk/src/main/java/io/metersphere/controller/BaseUserController.java"
        },
        "source": "https://github.com/metersphere/metersphere/commit/a23f75d93b666901fd148d834df9384f6f24cf28"
    },
    {
        "digest": {
            "function_hash": "321072344534009687334059131527906436984",
            "length": 143.0
        },
        "signature_type": "Function",
        "deprecated": false,
        "signature_version": "v1",
        "id": "CVE-2023-38494-b3b0d5b5",
        "target": {
            "file": "framework/sdk-parent/sdk/src/main/java/io/metersphere/controller/BaseUserController.java",
            "function": "getCurrentWorkspaceMember"
        },
        "source": "https://github.com/metersphere/metersphere/commit/a23f75d93b666901fd148d834df9384f6f24cf28"
    },
    {
        "digest": {
            "line_hashes": [
                "314815026187418254566058515706160116426",
                "307706096591965078731402049544583837591",
                "289315633483669568263634739657383539594",
                "214197853717236048355117736592652392497",
                "166917525026655294121890988246804714767",
                "102660408670479685865638352030046593556",
                "166628887033748502260297119448491429834"
            ],
            "threshold": 0.9
        },
        "signature_type": "Line",
        "deprecated": false,
        "signature_version": "v1",
        "id": "CVE-2023-38494-e1bd5542",
        "target": {
            "file": "project-management/backend/src/main/java/io/metersphere/controller/GroupController.java"
        },
        "source": "https://github.com/metersphere/metersphere/commit/a23f75d93b666901fd148d834df9384f6f24cf28"
    },
    {
        "digest": {
            "line_hashes": [
                "124741910323822635229216445372777221825",
                "213997054387425044359784169483795344417",
                "329224188998003196416219709970661109824",
                "177220046522325731537956743486715712834",
                "151399894236966462529896477734821508480",
                "315753126580635466084397887716282983208",
                "258151276158324289605977686921908248928",
                "297612686448025956847657936101353099272",
                "51619023655597877836900272903690863085",
                "252959569899027391946901296217881663875",
                "292735356537804083481925168373776354687",
                "176723601065173019103259226151174794645",
                "158274898000507699635915631321166805277",
                "259455296739853364693649693467573681927",
                "271465938686316713954583168000338390497",
                "83105345553693330361465160262354775364",
                "164820847363070074219068735704521907451",
                "242413634713850259747818124798762061752",
                "314815026187418254566058515706160116426",
                "307706096591965078731402049544583837591",
                "289315633483669568263634739657383539594",
                "214197853717236048355117736592652392497"
            ],
            "threshold": 0.9
        },
        "signature_type": "Line",
        "deprecated": false,
        "signature_version": "v1",
        "id": "CVE-2023-38494-f1420e4d",
        "target": {
            "file": "system-setting/backend/src/main/java/io/metersphere/controller/GroupController.java"
        },
        "source": "https://github.com/metersphere/metersphere/commit/a23f75d93b666901fd148d834df9384f6f24cf28"
    }
]