Headline
CVE-2021-45790: [BUG]Arbitrary File Upload Vulnerability leading to RCE in v1.15.4 · Issue #8653 · metersphere/metersphere
An arbitrary file upload vulnerability was found in Metersphere v1.15.4. Unauthenticated users can upload any file to arbitrary directory, where attackers can write a cron job to execute commands.
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Closed
rainmanzzz opened this issue
Dec 20, 2021
· 2 comments
Assignees
Comments
Version
v1.15.4
Description
Unauthenticated users can upload any kinds of file to arbitrary directory,which could lead to RCE.
API: /resource/md/upload
Vulnerable source code:
ResourceService.java
public void mdUpload(MdUploadRequest request, MultipartFile file) {
FileUtils.uploadFile(file, FileUtils.MD_IMAGE_DIR, request.getId() + "_" + request.getFileName());
}
To Reproduce
I have tested this vulnerability on the demo website https://demo.metersphere.com/.
Post the data below and we successfully upload a file .1 under the /root/ directory.
If we write a cron job, then we can execute command remotely.
Thanks very much for your discovery,we will fixed it within next version.
AgAngle added a commit that referenced this issue
Dec 21, 2021
AgAngle added a commit that referenced this issue
Dec 21, 2021