CVE-2022-23512

Name of the Vulnerable Software and Affected Versions MeterSphere versions prior to 2.4.1

Description The issue concerns a Path Injection vulnerability in the ApiTestCaseService::deleteBodyFiles function, which takes a user-controlled string id and uses the provided value (testId) to construct a file path. This allows an attacker to target files on the server by adding specific parameters to the URL. The vulnerability has been fixed in version 2.4.1.

Recommendations For versions prior to 2.4.1, update to version 2.4.1 to resolve the issue. As a temporary workaround, consider restricting access to the ApiTestCaseService::deleteBodyFiles function to minimize the risk of exploitation. Avoid using user-controlled input for the testId variable in the affected API endpoint until the issue is resolved.