PT-2023-25976 · Unknown · Metersphere

Lujiefsi

Published

2023-07-17

Updated

2023-07-27

CVE-2023-37461

CVSS v3.1

5.6

Medium

Vector

AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

Name of the Vulnerable Software and Affected Versions Metersphere versions prior to 2.10.3

Description Metersphere is an open-source testing framework. Files uploaded to Metersphere may define a belongType value with a relative path like ../../../../ which may cause Metersphere to attempt to overwrite an existing file in the defined location or to create a new file. Attackers would be limited to overwriting files that the Metersphere process has access to.

Recommendations For versions prior to 2.10.3, upgrade to version 2.10.3 to address the issue. As a temporary workaround, consider restricting file uploads or limiting access to sensitive files until the upgrade is applied.

Exploit

Fix

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-22

Related Identifiers

CVE-2023-37461

GHSA-XFR9-JGFP-FX3V

Affected Products

Metersphere

PT-2023-25976 · Unknown · Metersphere

CVE-2023-37461

Weakness Enumeration

Related Identifiers

Affected Products

References · 5