CVE-2023-25573
📋 TL;DR
This vulnerability allows any user to download any file from the MeterSphere testing platform without authentication. It affects all MeterSphere users running vulnerable versions, potentially exposing sensitive files accessible to the running process. The issue stems from improper access control in the /api/jmeter/download/files endpoint.
💻 Affected Systems
- MeterSphere
📦 What is this software?
Metersphere by Metersphere
Metersphere by Metersphere
⚠️ Risk & Real-World Impact
Worst Case
Attackers could download sensitive configuration files, credentials, test data, or any other files accessible to the MeterSphere process, leading to complete system compromise.
Likely Case
Unauthenticated users accessing the platform could download test files, configuration data, and potentially sensitive information stored in accessible directories.
If Mitigated
With proper authentication and access controls, only authorized users could access files through the intended download functionality.
🎯 Exploit Status
The vulnerability requires no authentication and can be exploited with simple HTTP requests to the vulnerable endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.20.20 LTS or 2.7.1
Vendor Advisory: https://github.com/metersphere/metersphere/security/advisories/GHSA-mcwr-j9vm-5g8h
Restart Required: Yes
Instructions:
1. Backup your current MeterSphere installation and data. 2. Download the patched version (1.20.20 LTS or 2.7.1) from the official repository. 3. Follow the upgrade instructions in the MeterSphere documentation. 4. Restart the MeterSphere service.
🔧 Temporary Workarounds
Network Access Restriction
allRestrict network access to the MeterSphere instance to trusted networks only
Web Server Configuration
linuxConfigure web server (nginx/apache) to block access to /api/jmeter/download/files endpoint
location /api/jmeter/download/files { deny all; }
🧯 If You Can't Patch
- Implement strict network segmentation and firewall rules to limit access to MeterSphere
- Deploy a web application firewall (WAF) with rules to block unauthorized file download attempts
🔍 How to Verify
Check if Vulnerable:
Attempt to access http://[metersphere-host]/api/jmeter/download/files without authentication. If files can be downloaded, the system is vulnerable.Check Version:
Check the MeterSphere web interface dashboard or run: docker exec metersphere cat /opt/metersphere/version.txtVerify Fix Applied:
After patching, attempt the same unauthenticated access. The endpoint should now require proper authentication.📡 Detection & Monitoring
Log Indicators:
- Multiple unauthenticated requests to /api/jmeter/download/files
- Unusual file download patterns from unauthenticated IPs
Network Indicators:
- HTTP GET requests to /api/jmeter/download/files without authentication headers
- Unusual outbound file transfers from MeterSphere server
SIEM Query:
source="metersphere" AND (uri_path="/api/jmeter/download/files" AND NOT auth_token=*)