Lucene search

GitHub_MCVE-2022-23512

HistoryDec 14, 2022 - 2:15 p.m.

CVE-2022-23512

2022-12-1414:15:10

CWE-22

GitHub_M

web.nvd.nist.gov

metersphere

open source

continuous testing

path injection

apitestcaseservice

cve-2022-23512

CVSS3

8.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

AI Score

8.1

Confidence

High

EPSS

0.001

Percentile

35.2%

JSON

MeterSphere is a one-stop open source continuous testing platform. Versions prior to 2.4.1 are vulnerable to Path Injection in ApiTestCaseService::deleteBodyFiles which takes a user-controlled string id and passes it to ApiTestCaseService, which uses the user-provided value (testId) in new File(BODY_FILE_DIR + “/” + testId), being deleted later by file.delete(). By adding some camouflage parameters to the url, an attacker can target files on the server. The vulnerability has been fixed in v2.4.1.

Affected configurations

Nvd

Vulners

Node

meterspheremetersphereRange<2.4.1

VendorProductVersionCPE
meterspheremetersphere*cpe:2.3:a:metersphere:metersphere:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
metersphere	metersphere	*	cpe:2.3:a:metersphere:metersphere::::::::

CNA Affected

[
  {
    "vendor": "metersphere",
    "product": "metersphere",
    "versions": [
      {
        "version": "< 2.4.1",
        "status": "affected"
      }
    ]
  }
]

References

github.com/metersphere/metersphere/security/advisories/GHSA-5mwp-xw7p-5j27

CVSS3

8.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

AI Score

8.1

Confidence

High

EPSS

0.001

Percentile

35.2%

JSON

Related for CVE-2022-23512