Skip to content

Path Injection In MeterSpere leads to upload file to any path

Moderate
liuruibin published GHSA-9p62-x3c5-hr5p Dec 29, 2022

Package

maven io.metersphere:metersphere (Maven)

Affected versions

< v2.5.1

Patched versions

v2.5.1

Description

Summary

MeterSphere allow users to upload file, but not check the file name, may lead to upload file to any path if the file name in upload request is falsified.

Details

Metersphere's FileUtils.java didn't check the filePath.

    public static void createFile(String filePath, byte[] fileBytes) {
        File file = new File(filePath);
        if (file.exists()) {
            file.delete();
        }
        try {
            File dir = file.getParentFile();
            if (!dir.exists()) {
                dir.mkdirs();
            }
            file.createNewFile();
        } catch (Exception e) {
            LogUtil.error(e);
        }

        try (InputStream in = new ByteArrayInputStream(fileBytes); OutputStream out = new FileOutputStream(file)) {
            final int MAX = 4096;
            byte[] buf = new byte[MAX];
            for (int bytesRead = in.read(buf, 0, MAX); bytesRead != -1; bytesRead = in.read(buf, 0, MAX)) {
                out.write(buf, 0, bytesRead);
            }
        } catch (IOException e) {
            LogUtil.error(e);
            MSException.throwException(Translator.get("upload_fail"));
        }
    }

Patches

The vulnerability has been fixed in v2.5.1.

3a890ee : add validation for file name.

Workarounds

It is recommended to upgrade the version to v2.5.1.

For more information

If you have any questions or comments about this advisory, please open an issue.

This vulnerability is reported by lujiefsi from huntr.dev.

Severity

Moderate
5.7
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
High
User interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
High
CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:H

CVE ID

CVE-2022-46178

Weaknesses

No CWEs