Lucene search

[email protected]NVD:CVE-2023-25814

HistoryMar 09, 2023 - 6:15 p.m.

CVE-2023-25814

2023-03-0918:15:09

CWE-22

[email protected]

web.nvd.nist.gov

metersphere

open source

continuous testing

vulnerability

version 2.7.1

upgrade

filesystem

server

permission

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

26.4%

JSON

metersphere is an open source continuous testing platform. In versions prior to 2.7.1 a user who has permission to create a resource file through UI operations is able to append a path to their submission query which will be read by the system and displayed to the user. This allows a users of the system to read arbitrary files on the filesystem of the server so long as the server process itself has permission to read the requested files. This issue has been addressed in version 2.7.1. All users are advised to upgrade. There are no known workarounds for this issue.

Affected configurations

NVD

Node

meterspheremetersphereRange<2.7.1

References

github.com/metersphere/metersphere/security/advisories/GHSA-fwc3-5h55-mh2j

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

26.4%

JSON

Related for NVD:CVE-2023-25814

osv1 prion1 cve1 cvelist1