Metersphere is an opensource testing framework. Files uploaded to Metersphere may define a `belongType` value with a relative path like `../../../../` which may cause metersphere to attempt to overwrite an existing file in the defined location or to create a new file. Attackers would be limited to overwriting files that the metersphere process has access to. This issue has been addressed in version 2.10.3. Users are advised to upgrade. There are no known workarounds for this vulnerability.
References
Link | Resource |
---|---|
https://github.com/metersphere/metersphere/security/advisories/GHSA-xfr9-jgfp-fx3v | Exploit Third Party Advisory |
https://github.com/metersphere/metersphere/security/advisories/GHSA-xfr9-jgfp-fx3v | Exploit Third Party Advisory |
Configurations
History
21 Nov 2024, 08:11
Type | Values Removed | Values Added |
---|---|---|
References | () https://github.com/metersphere/metersphere/security/advisories/GHSA-xfr9-jgfp-fx3v - Exploit, Third Party Advisory | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 5.6 |
27 Jul 2023, 03:45
Type | Values Removed | Values Added |
---|---|---|
References | (MISC) https://github.com/metersphere/metersphere/security/advisories/GHSA-xfr9-jgfp-fx3v - Exploit, Third Party Advisory | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 9.8 |
CPE | cpe:2.3:a:metersphere:metersphere:*:*:*:*:lts:*:*:* |
17 Jul 2023, 20:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-07-17 20:15
Updated : 2024-11-21 08:11
NVD link : CVE-2023-37461
Mitre link : CVE-2023-37461
CVE.ORG link : CVE-2023-37461
JSON object : View
Products Affected
metersphere
- metersphere
CWE
CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')