{"id":"CVE-2023-41878","summary":"Weak password of selenium VNC in MeterSphere","details":"MeterSphere is a one-stop open source continuous testing platform, covering functions such as test tracking, interface testing, UI testing and performance testing. The Selenium VNC config used in Metersphere is using a weak password by default, attackers can login to vnc and obtain high permissions. This issue has been addressed in version 2.10.7 LTS. Users are advised to upgrade. There are no known workarounds for this vulnerability.","aliases":["GHSA-88vv-6rm4-59h9"],"modified":"2026-04-12T07:19:27.404797Z","published":"2023-09-26T22:53:27.060Z","database_specific":{"cwe_ids":["CWE-798"],"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/41xxx/CVE-2023-41878.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/41xxx/CVE-2023-41878.json"},{"type":"ADVISORY","url":"https://github.com/metersphere/metersphere/security/advisories/GHSA-88vv-6rm4-59h9"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-41878"},{"type":"FIX","url":"https://github.com/metersphere/installer/commit/02dd31c0951a225eaad99eda560e3eb91ba3001d"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/metersphere/installer","events":[{"introduced":"0"},{"fixed":"02dd31c0951a225eaad99eda560e3eb91ba3001d"}],"database_specific":{"source":"REFERENCES"}}],"versions":["v1.0.0","v1.0.1","v1.10.0","v1.10.0-lts","v1.10.1","v1.10.1-lts","v1.10.2","v1.10.2-lts","v1.10.3","v1.10.3-lts","v1.12.0","v1.12.1","v1.12.2","v1.2.0","v1.4.0","v1.4.1","v1.4.2","v1.4.3","v1.5.0","v1.5.1","v1.6.0","v1.6.1","v1.6.2","v1.7.0","v1.9.0","v1.9.1","v1.9.2","v1.9.3","v2.10.0-lts","v2.10.0-lts-arm64","v2.10.1-lts","v2.10.1-lts-arm64","v2.10.2-lts","v2.10.2-lts-arm64","v2.10.3-lts","v2.10.3-lts-arm64","v2.10.4-lts","v2.10.4-lts-arm64","v2.10.5-lts","v2.10.5-lts-arm64"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-41878.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/metersphere/metersphere","events":[{"introduced":"0"},{"fixed":"7f7afdc566818c91f636b81cc0e1a6ea7b3d88dc"}],"database_specific":{"cpe":"cpe:2.3:a:metersphere:metersphere:*:*:*:*:lts:*:*:*","extracted_events":[{"introduced":"0"},{"fixed":"2.10.7"}],"source":"CPE_FIELD"}}],"versions":["v1.0.0","v1.2.0","v2.10.0-lts","v2.10.1-lts","v2.10.2-lts","v2.10.3-lts","v2.10.4-lts","v2.10.5-lts","v2.10.6-lts"],"database_specific":{"vanir_signatures":[{"id":"CVE-2023-41878-2ceeb020","deprecated":false,"source":"https://github.com/metersphere/metersphere/commit/7f7afdc566818c91f636b81cc0e1a6ea7b3d88dc","target":{"file":"api-test/backend/src/main/java/io/metersphere/api/parse/api/Swagger3Parser.java"},"digest":{"threshold":0.9,"line_hashes":["265726758043739931497050607538087241059","312586663059360599288001800208821731715","334352982051916231784832766756301035435","306562876091474798761126124713891591199","137526767671394388633257348495112346362","242587460897851115658328798711169231218","6533768208711954750737255197294029538","55427795859926366828212091779381507968","130599103049366796924616930475048673458","87177612146114493625503275428354651791","277339147589518461746487552430222534019","237897770576414489093163962354227264163","340064771938469715433709661540827740432","312581125929980178936663033175404683737","4705107663745999734477433993776122537","208869977307002633475905072945548752312","289551980629421440941574573112713256846","96246980116123279888053672193991266709","261101273846456427731998294707784713251","162127231415715375917575426837472126911","208869481105121055640218128127842028989","121325250129751365006772405877771736314","51794718125153198471659992084478491404","339105457742781733916501206258513412462","152480834855586769929377551851168749311","73416081765873469277999913372311702135","158490767488466317019686249618487225522"]},"signature_version":"v1","signature_type":"Line"},{"id":"CVE-2023-41878-e3b15e7a","deprecated":false,"source":"https://github.com/metersphere/metersphere/commit/7f7afdc566818c91f636b81cc0e1a6ea7b3d88dc","target":{"function":"setAuths","file":"api-test/backend/src/main/java/io/metersphere/api/parse/api/Swagger3Parser.java"},"digest":{"length":1961,"function_hash":"284316655001719492584455063008345499729"},"signature_version":"v1","signature_type":"Function"}],"vanir_signatures_modified":"2026-04-12T07:19:27Z","source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-41878.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L"}]}