CVE-2022-46178
Path Traversal In MeterSpere leads to upload file to any path
Description
### Summary MeterSphere allow users to upload file, but not check the file name, may lead to upload file to any path if the file name in upload request is falsified. ### Details Metersphere's [`FileUtils.java`](https://github.com/metersphere/metersphere/blob/v2.5.0/framework/sdk-parent/sdk/src/main/java/io/metersphere/commons/utils/FileUtils.java#L57) didn't check the filePath. ```java public static void createFile(String filePath, byte[] fileBytes) { File file = new File(filePath); if (file.exists()) { file.delete(); } try { File dir = file.getParentFile(); if (!dir.exists()) { dir.mkdirs(); } file.createNewFile(); } catch (Exception e) { LogUtil.error(e); } try (InputStream in = new ByteArrayInputStream(fileBytes); OutputStream out = new FileOutputStream(file)) { final int MAX = 4096; byte[] buf = new byte[MAX]; for (int bytesRead = in.read(buf, 0, MAX); bytesRead != -1; bytesRead = in.read(buf, 0, MAX)) { out.write(buf, 0, bytesRead); } } catch (IOException e) { LogUtil.error(e); MSException.throwException(Translator.get("upload_fail")); } } ``` ### Patches The vulnerability has been fixed in [v2.5.1](https://github.com/metersphere/metersphere/releases/tag/v2.5.1). https://github.com/metersphere/metersphere/commit/3a890eeeb8a6b0887927c876a73bdb3a99a82138 : add validation for file name. ### Workarounds It is recommended to upgrade the version to [v2.5.1](https://github.com/metersphere/metersphere/releases/tag/v2.5.1). ### For more information If you have any questions or comments about this advisory, please [open an issue](https://github.com/metersphere/metersphere/issues).
How to fix CVE-2022-46178
To remediate CVE-2022-46178, upgrade the affected package to a fixed version below.
- —upgrade to 2.5.1 or later
Is CVE-2022-46178 being exploited?
Low — EPSS is 0.6%, meaning exploitation activity has not been observed at scale.