← Back to CVEs
CVE-2022-23512
HIGH7.7
Description
MeterSphere is a one-stop open source continuous testing platform. Versions prior to 2.4.1 are vulnerable to Path Injection in ApiTestCaseService::deleteBodyFiles which takes a user-controlled string id and passes it to ApiTestCaseService, which uses the user-provided value (testId) in new File(BODY_FILE_DIR + "/" + testId), being deleted later by file.delete(). By adding some camouflage parameters to the url, an attacker can target files on the server. The vulnerability has been fixed in v2.4.1.
CVE Details
CVSS v3.1 Score7.7
SeverityHIGH
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N
Attack VectorNETWORK
ComplexityLOW
Privileges RequiredLOW
User InteractionNONE
Published12/14/2022
Last Modified11/21/2024
Sourcenvd
Honeypot Sightings0
Affected Products
metersphere:metersphere
Weaknesses (CWE)
CWE-22
References
https://github.com/metersphere/metersphere/security/advisories/GHSA-5mwp-xw7p-5j27(security-advisories@github.com)
https://github.com/metersphere/metersphere/security/advisories/GHSA-5mwp-xw7p-5j27(af854a3a-2127-422b-91ae-364da2661108)
IOC Correlations
No correlations recorded
This product uses data from the NVD API but is not endorsed or certified by the NVD.