CVE-2022-23512 is a path traversal vulnerability identified in MeterSphere, an open-source continuous testing platform widely used for automated testing workflows. The vulnerability affects versions prior to 2.4.1 and resides in the ApiTestCaseService::deleteBodyFiles function. This function accepts a user-controlled string parameter, 'testId', which is concatenated directly with a predefined directory path (BODY_FILE_DIR) to form a file path. The constructed path is then used to delete files on the server via file.delete(). Due to insufficient validation or sanitization of the 'testId' parameter, an attacker can craft a specially formatted input containing path traversal sequences (e.g., '../') and additional camouflage parameters in the URL to escape the intended directory restriction. This allows the attacker to delete arbitrary files on the server filesystem that the application process has permission to access. The vulnerability was addressed and fixed in MeterSphere version 2.4.1 by implementing proper path validation and restriction mechanisms. No known exploits have been reported in the wild to date. The vulnerability is classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), which typically leads to unauthorized file system access or manipulation. Exploitation requires the attacker to have access to the vulnerable API endpoint and the ability to send crafted requests, but does not require authentication or user interaction beyond the request itself. The impact primarily affects the integrity and availability of files on the server hosting MeterSphere, potentially disrupting testing operations or causing denial of service by deleting critical files. Confidentiality impact is limited unless sensitive files are deleted or overwritten. Given the nature of the vulnerability, it is medium severity but can be escalated depending on the server environment and permissions.

For European organizations utilizing MeterSphere versions prior to 2.4.1, this vulnerability poses a risk to the integrity and availability of their continuous testing infrastructure. Successful exploitation could lead to deletion of critical test case files or configuration data, resulting in disruption of automated testing pipelines, delays in software delivery, and potential operational downtime. Organizations relying heavily on continuous integration and deployment (CI/CD) processes may experience workflow interruptions, impacting development velocity and quality assurance. While confidentiality risks are lower, deletion of sensitive files or logs could indirectly affect compliance and forensic capabilities. The vulnerability could also be leveraged as part of a broader attack chain to destabilize development environments or cover tracks by deleting logs. European entities in sectors with stringent software quality requirements, such as finance, healthcare, and manufacturing, may face increased operational and reputational risks. Additionally, organizations with exposed MeterSphere instances accessible over the internet are at higher risk of remote exploitation.

1. Upgrade MeterSphere to version 2.4.1 or later immediately to apply the official patch that properly validates and restricts file path inputs. 2. Implement strict input validation and sanitization on all user-controlled parameters, especially those used in file system operations, to prevent path traversal sequences. 3. Restrict file system permissions for the MeterSphere application process to the minimum necessary, ensuring it cannot delete or modify files outside its designated directories. 4. Employ Web Application Firewalls (WAFs) with rules to detect and block path traversal patterns in HTTP requests targeting MeterSphere endpoints. 5. Monitor application logs and file system integrity for unusual deletion activities or access patterns indicative of exploitation attempts. 6. Limit network exposure of MeterSphere instances by placing them behind VPNs or internal networks, reducing the attack surface. 7. Conduct regular security audits and penetration testing focused on file system access controls within development and testing platforms. 8. Educate development and operations teams about secure coding practices related to file handling to prevent similar vulnerabilities in custom extensions or integrations.