CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
46.5%
MeterSphere allow users to upload file, but not check the file name, may lead to upload file to any path if the file name in upload request is falsified.
Metersphere’s FileUtils.java
didn’t check the filePath.
public static void createFile(String filePath, byte[] fileBytes) {
File file = new File(filePath);
if (file.exists()) {
file.delete();
}
try {
File dir = file.getParentFile();
if (!dir.exists()) {
dir.mkdirs();
}
file.createNewFile();
} catch (Exception e) {
LogUtil.error(e);
}
try (InputStream in = new ByteArrayInputStream(fileBytes); OutputStream out = new FileOutputStream(file)) {
final int MAX = 4096;
byte[] buf = new byte[MAX];
for (int bytesRead = in.read(buf, 0, MAX); bytesRead != -1; bytesRead = in.read(buf, 0, MAX)) {
out.write(buf, 0, bytesRead);
}
} catch (IOException e) {
LogUtil.error(e);
MSException.throwException(Translator.get("upload_fail"));
}
}
The vulnerability has been fixed in v2.5.1.
https://github.com/metersphere/metersphere/commit/3a890eeeb8a6b0887927c876a73bdb3a99a82138 : add validation for file name.
It is recommended to upgrade the version to v2.5.1.
If you have any questions or comments about this advisory, please open an issue.
github.com/metersphere/metersphere
github.com/metersphere/metersphere/blob/v2.5.0/framework/sdk-parent/sdk/src/main/java/io/metersphere/commons/utils/FileUtils.java#L5
github.com/metersphere/metersphere/releases/tag/v2.5.1
github.com/metersphere/metersphere/security/advisories/GHSA-9p62-x3c5-hr5p
nvd.nist.gov/vuln/detail/CVE-2022-46178