Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-9p62-x3c5-hr5p: Path Traversal In MeterSpere leads to upload file to any path

Summary

MeterSphere allow users to upload file, but not check the file name, may lead to upload file to any path if the file name in upload request is falsified.

Details

Metersphere’s FileUtils.java didn’t check the filePath.

    public static void createFile(String filePath, byte[] fileBytes) {
        File file = new File(filePath);
        if (file.exists()) {
            file.delete();
        }
        try {
            File dir = file.getParentFile();
            if (!dir.exists()) {
                dir.mkdirs();
            }
            file.createNewFile();
        } catch (Exception e) {
            LogUtil.error(e);
        }

        try (InputStream in = new ByteArrayInputStream(fileBytes); OutputStream out = new FileOutputStream(file)) {
            final int MAX = 4096;
            byte[] buf = new byte[MAX];
            for (int bytesRead = in.read(buf, 0, MAX); bytesRead != -1; bytesRead = in.read(buf, 0, MAX)) {
                out.write(buf, 0, bytesRead);
            }
        } catch (IOException e) {
            LogUtil.error(e);
            MSException.throwException(Translator.get("upload_fail"));
        }
    }

Patches

The vulnerability has been fixed in v2.5.1.

https://github.com/metersphere/metersphere/commit/3a890eeeb8a6b0887927c876a73bdb3a99a82138 : add validation for file name.

Workarounds

It is recommended to upgrade the version to v2.5.1.

For more information

If you have any questions or comments about this advisory, please open an issue.

ghsa
Open in Source
#vulnerability#git#java

Summary

MeterSphere allow users to upload file, but not check the file name, may lead to upload file to any path if the file name in upload request is falsified.

Details

Metersphere’s FileUtils.java didn’t check the filePath.

public static void createFile(String filePath, byte\[\] fileBytes) {
    File file = new File(filePath);
    if (file.exists()) {
        file.delete();
    }
    try {
        File dir = file.getParentFile();
        if (!dir.exists()) {
            dir.mkdirs();
        }
        file.createNewFile();
    } catch (Exception e) {
        LogUtil.error(e);
    }

    try (InputStream in = new ByteArrayInputStream(fileBytes); OutputStream out = new FileOutputStream(file)) {
        final int MAX = 4096;
        byte\[\] buf = new byte\[MAX\];
        for (int bytesRead = in.read(buf, 0, MAX); bytesRead != -1; bytesRead = in.read(buf, 0, MAX)) {
            out.write(buf, 0, bytesRead);
        }
    } catch (IOException e) {
        LogUtil.error(e);
        MSException.throwException(Translator.get("upload\_fail"));
    }
}

Patches

The vulnerability has been fixed in v2.5.1.

metersphere/metersphere@3a890ee : add validation for file name.

Workarounds

It is recommended to upgrade the version to v2.5.1.

For more information

If you have any questions or comments about this advisory, please open an issue.

References

  • GHSA-9p62-x3c5-hr5p
  • https://nvd.nist.gov/vuln/detail/CVE-2022-46178
  • https://github.com/metersphere/metersphere/blob/v2.5.0/framework/sdk-parent/sdk/src/main/java/io/metersphere/commons/utils/FileUtils.java#L5
  • https://github.com/metersphere/metersphere/releases/tag/v2.5.1

Related news

CVE-2022-46178: Path Injection In MeterSpere leads to upload file to any path

MeterSphere is a one-stop open source continuous testing platform, covering test management, interface testing, UI testing and performance testing. Versions prior to 2.5.1 allow users to upload a file, but do not validate the file name, which may lead to upload file to any path. The vulnerability has been fixed in v2.5.1. There are no workarounds.

ghsa: Latest News

GHSA-x7m9-mv49-fv73: Vaultwarden vulnerable to user impersonation
ghsa