GHSA-9p62-x3c5-hr5p
Suggest an improvement- Source
- https://github.com/advisories/GHSA-9p62-x3c5-hr5p
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-9p62-x3c5-hr5p/GHSA-9p62-x3c5-hr5p.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-9p62-x3c5-hr5p
- Aliases
- Related
- Published
- 2022-12-30T18:03:47Z
- Modified
- 2023-11-08T04:10:56.132181Z
- Severity
-
- 7.4 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L CVSS Calculator
- Summary
- Path Traversal In MeterSpere leads to upload file to any path
- Details
-
Summary
MeterSphere allow users to upload file, but not check the file name, may lead to upload file to any path if the file name in upload request is falsified.
Details
Metersphere's <code>FileUtils.java</code> didn't check the filePath.
public static void createFile(String filePath, byte[] fileBytes) { File file = new File(filePath); if (file.exists()) { file.delete(); } try { File dir = file.getParentFile(); if (!dir.exists()) { dir.mkdirs(); } file.createNewFile(); } catch (Exception e) { LogUtil.error(e); } try (InputStream in = new ByteArrayInputStream(fileBytes); OutputStream out = new FileOutputStream(file)) { final int MAX = 4096; byte[] buf = new byte[MAX]; for (int bytesRead = in.read(buf, 0, MAX); bytesRead != -1; bytesRead = in.read(buf, 0, MAX)) { out.write(buf, 0, bytesRead); } } catch (IOException e) { LogUtil.error(e); MSException.throwException(Translator.get("upload_fail")); } }Patches
The vulnerability has been fixed in v2.5.1.
https://github.com/metersphere/metersphere/commit/3a890eeeb8a6b0887927c876a73bdb3a99a82138 : add validation for file name.
Workarounds
It is recommended to upgrade the version to v2.5.1.
For more information
If you have any questions or comments about this advisory, please open an issue.
- Database specific
{ "nvd_published_at": "2022-12-29T19:15:00Z", "severity": "HIGH", "cwe_ids": [ "CWE-22" ], "github_reviewed": true, "github_reviewed_at": "2022-12-30T18:03:47Z" }- References
-
- https://github.com/metersphere/metersphere/security/advisories/GHSA-9p62-x3c5-hr5p
- https://nvd.nist.gov/vuln/detail/CVE-2022-46178
- https://github.com/metersphere/metersphere
- https://github.com/metersphere/metersphere/blob/v2.5.0/framework/sdk-parent/sdk/src/main/java/io/metersphere/commons/utils/FileUtils.java#L5
- https://github.com/metersphere/metersphere/releases/tag/v2.5.1
Affected packages
Maven / io.metersphere:metersphere
Package
- Name
- io.metersphere:metersphere
- View open source insights on deps.dev
- Purl
- pkg:maven/io.metersphere/metersphere