CVE-2022-45760: The Broken Access Control vulnerability exists in the latest version of SENS · Issue #21 · saysky/SENS

This project has file upload function. The corresponding code for this function is located in com.liuyanzhao.sens.web.controller.admin#upload

@PostMapping(value = "/upload", produces = {"application/json;charset=UTF-8"})
    @ResponseBody
    @SystemLog(description = "上传文件", type = LogTypeEnum.ATTACHMENT)
    public Map<String, Object> upload(@RequestParam("file") MultipartFile file,
                                      HttpServletRequest request) {
        return uploadAttachment(file, request);
}

The Upload method calls the uploadAttachment() method.

After audit, we can find that the code does not restrict the ownership of files, so you can access the files uploaded by any user without authorization.
Use the website provided by the project author to demonstrate the vulnerability.
The user a, upload a file, the file path is “/upload/2022/11/test1.HTML”

At this time, log in to another user and enter the above path to achieve unauthorized access to any file.

Solution: Add a filtering mechanism.