Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
MeterSphere denial of service vulnerability
Vulnerability Description
MeterSphere is an open source continuous testing platform. Version 2.9.1 and prior are vulnerable to denial of service. The `checkUserPassword` method is used to check whether the password provided by the user matches the password saved in the database, and the `CodingUtil.md5` method is used to encrypt the original password with MD5 to ensure that the password will not be saved in plain text when it is stored. If a user submits a very long password when logging in, the system will be forced to execute the long password MD5 encryption process, causing the server CPU and memory to be exhausted, thereby causing a denial of service attack on the server. This issue is fixed in version 2.10.0-lts with a maximum password length.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Vulnerability Type
不加限制或调节的资源分配
Vulnerability Title
MeterSphere 安全漏洞
Vulnerability Description
MeterSphere是MeterSphere开源的一站式开源持续测试平台。 MeterSphere 2.9.1 及之前版本存在安全漏洞,该漏洞源于在登陆时提交一个非常长的口令,就会迫使系统执行长口令MD5加密过程,导致服务器CPU及内存耗尽,从而对服务器造成拒绝服务攻击。
CVSS Information
N/A
Vulnerability Type
N/A