GHSA-9P62-X3C5-HR5P

Vulnerability from github – Published: 2022-12-30 18:03 – Updated: 2022-12-30 18:03
VLAI?
Summary
Path Traversal In MeterSpere leads to upload file to any path
Details

Summary

MeterSphere allow users to upload file, but not check the file name, may lead to upload file to any path if the file name in upload request is falsified.

Details

Metersphere's FileUtils.java didn't check the filePath.

    public static void createFile(String filePath, byte[] fileBytes) {
        File file = new File(filePath);
        if (file.exists()) {
            file.delete();
        }
        try {
            File dir = file.getParentFile();
            if (!dir.exists()) {
                dir.mkdirs();
            }
            file.createNewFile();
        } catch (Exception e) {
            LogUtil.error(e);
        }

        try (InputStream in = new ByteArrayInputStream(fileBytes); OutputStream out = new FileOutputStream(file)) {
            final int MAX = 4096;
            byte[] buf = new byte[MAX];
            for (int bytesRead = in.read(buf, 0, MAX); bytesRead != -1; bytesRead = in.read(buf, 0, MAX)) {
                out.write(buf, 0, bytesRead);
            }
        } catch (IOException e) {
            LogUtil.error(e);
            MSException.throwException(Translator.get("upload_fail"));
        }
    }

Patches

The vulnerability has been fixed in v2.5.1.

https://github.com/metersphere/metersphere/commit/3a890eeeb8a6b0887927c876a73bdb3a99a82138 : add validation for file name.

Workarounds

It is recommended to upgrade the version to v2.5.1.

For more information

If you have any questions or comments about this advisory, please open an issue.

Severity ?
7.4 (High)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.metersphere:metersphere"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.5.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-46178"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-12-30T18:03:47Z",
    "nvd_published_at": "2022-12-29T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n\nMeterSphere allow users to upload file, but not check the file name, may lead to upload file to any path if the file name in upload request is falsified.\n\n### Details\n\nMetersphere\u0027s [`FileUtils.java`](https://github.com/metersphere/metersphere/blob/v2.5.0/framework/sdk-parent/sdk/src/main/java/io/metersphere/commons/utils/FileUtils.java#L57) didn\u0027t check the filePath.\n\n```java\n    public static void createFile(String filePath, byte[] fileBytes) {\n        File file = new File(filePath);\n        if (file.exists()) {\n            file.delete();\n        }\n        try {\n            File dir = file.getParentFile();\n            if (!dir.exists()) {\n                dir.mkdirs();\n            }\n            file.createNewFile();\n        } catch (Exception e) {\n            LogUtil.error(e);\n        }\n\n        try (InputStream in = new ByteArrayInputStream(fileBytes); OutputStream out = new FileOutputStream(file)) {\n            final int MAX = 4096;\n            byte[] buf = new byte[MAX];\n            for (int bytesRead = in.read(buf, 0, MAX); bytesRead != -1; bytesRead = in.read(buf, 0, MAX)) {\n                out.write(buf, 0, bytesRead);\n            }\n        } catch (IOException e) {\n            LogUtil.error(e);\n            MSException.throwException(Translator.get(\"upload_fail\"));\n        }\n    }\n```\n\n### Patches\n\nThe vulnerability has been fixed in [v2.5.1](https://github.com/metersphere/metersphere/releases/tag/v2.5.1).\n\nhttps://github.com/metersphere/metersphere/commit/3a890eeeb8a6b0887927c876a73bdb3a99a82138 : add validation for file name.\n\n### Workarounds\n\nIt is recommended to upgrade the version to [v2.5.1](https://github.com/metersphere/metersphere/releases/tag/v2.5.1).\n\n### For more information\n\nIf you have any questions or comments about this advisory, please [open an issue](https://github.com/metersphere/metersphere/issues).",
  "id": "GHSA-9p62-x3c5-hr5p",
  "modified": "2022-12-30T18:03:47Z",
  "published": "2022-12-30T18:03:47Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/metersphere/metersphere/security/advisories/GHSA-9p62-x3c5-hr5p"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46178"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/metersphere/metersphere"
    },
    {
      "type": "WEB",
      "url": "https://github.com/metersphere/metersphere/blob/v2.5.0/framework/sdk-parent/sdk/src/main/java/io/metersphere/commons/utils/FileUtils.java#L5"
    },
    {
      "type": "WEB",
      "url": "https://github.com/metersphere/metersphere/releases/tag/v2.5.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Path Traversal In MeterSpere leads to upload file to any path"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.