Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Metersphere is vulnerable to Path Injection.
Vulnerability Description
MeterSphere is a one-stop open source continuous testing platform. Versions prior to 2.4.1 are vulnerable to Path Injection in ApiTestCaseService::deleteBodyFiles which takes a user-controlled string id and passes it to ApiTestCaseService, which uses the user-provided value (testId) in new File(BODY_FILE_DIR + "/" + testId), being deleted later by file.delete(). By adding some camouflage parameters to the url, an attacker can target files on the server. The vulnerability has been fixed in v2.4.1.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N
Vulnerability Type
对路径名的限制不恰当(路径遍历)
Vulnerability Title
MeterSphere 路径遍历漏洞
Vulnerability Description
MeterSphere是MeterSphere开源的一站式开源持续测试平台。 MeterSphere 2.4.1之前版本存在路径遍历漏洞,该漏洞源于容易受到 ApiTestCaseService::deleteBodyFiles 中的路径注入攻击,攻击者利用该漏洞可以将服务器上的文件作为目标。
CVSS Information
N/A
Vulnerability Type
N/A