CVE-2023-37461 MEDIUM

CVE-2023-37461: Path traversal in metersphere

Vendor Metersphere
Product metersphere
Weakness CWE-22 · Path traversal
Published July 17, 2023
Last update October 10, 2024

CVSS base score

5.6/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

What the vulnerability does

01Description

Metersphere is an opensource testing framework. Files uploaded to Metersphere may define a `belongType` value with a relative path like `../../../../` which may cause metersphere to attempt to overwrite an existing file in the defined location or to create a new file. Attackers would be limited to overwriting files that the metersphere process has access to. This issue has been addressed in version 2.10.3. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Key dates

02Disclosure timeline

July 17, 2023 CVE published
October 10, 2024 Record updated