CVE-2023-37461

Опубликовано: 17 июл. 2023

Источник: nvd

CVSS3: 5.6

CVSS3: 9.8

EPSS Низкий

Описание

Metersphere is an opensource testing framework. Files uploaded to Metersphere may define a belongType value with a relative path like ../../../../ which may cause metersphere to attempt to overwrite an existing file in the defined location or to create a new file. Attackers would be limited to overwriting files that the metersphere process has access to. This issue has been addressed in version 2.10.3. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Ссылки

https://github.com/metersphere/metersphere/security/advisories/GHSA-xfr9-jgfp-fx3v
Exploit
Third Party Advisory
https://github.com/metersphere/metersphere/security/advisories/GHSA-xfr9-jgfp-fx3v
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:metersphere:metersphere:*:*:*:*:lts:*:*:*

Версия до 2.10.3 (исключая)

EPSS

Процентиль: 24%

0.00081

Низкий

5.6 Medium

CVSS3

9.8 Critical

CVSS3

Дефекты

CWE-22

EPSS

Процентиль: 24%

0.00081

Низкий

5.6 Medium

CVSS3

9.8 Critical

CVSS3

Дефекты

CWE-22