Arbitrary File Read Vulnerability in metersphere

metersphere is an open source continuous testing platform. In versions prior to 2.7.1 a user who has permission to create a resource file through UI operations is able to append a path to their submission query which will be read by the system and displayed to the user. This allows a users of the system to read arbitrary files on the filesystem of the server so long as the server process itself has permission to read the requested files. This issue has been addressed in version 2.7.1. All users are advised to upgrade. There are no known workarounds for this issue.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L

对路径名的限制不恰当(路径遍历)

MeterSphere 路径遍历漏洞

MeterSphere是MeterSphere开源的一站式开源持续测试平台。 MeterSphere 2.7.1之前版本存在路径遍历漏洞，该漏洞源于用户通过在UI 操作创建资源文件的过程中将路径附加到提交查询中，该路径将会被系统读取并显示给用户， 攻击者利用该漏洞可以读取任意文件。

N/A

N/A