{
  "schema_version": "1.4.0",
  "id": "GHSA-9p62-x3c5-hr5p",
  "modified": "2022-12-30T18:03:47Z",
  "published": "2022-12-30T18:03:47Z",
  "aliases": [
    "CVE-2022-46178"
  ],
  "summary": "Path Traversal In MeterSpere leads to upload file to any path",
  "details": "### Summary\n\nMeterSphere allow users to upload file, but not check the file name, may lead to upload file to any path if the file name in upload request is falsified.\n\n### Details\n\nMetersphere's [`FileUtils.java`](https://github.com/metersphere/metersphere/blob/v2.5.0/framework/sdk-parent/sdk/src/main/java/io/metersphere/commons/utils/FileUtils.java#L57) didn't check the filePath.\n\n```java\n    public static void createFile(String filePath, byte[] fileBytes) {\n        File file = new File(filePath);\n        if (file.exists()) {\n            file.delete();\n        }\n        try {\n            File dir = file.getParentFile();\n            if (!dir.exists()) {\n                dir.mkdirs();\n            }\n            file.createNewFile();\n        } catch (Exception e) {\n            LogUtil.error(e);\n        }\n\n        try (InputStream in = new ByteArrayInputStream(fileBytes); OutputStream out = new FileOutputStream(file)) {\n            final int MAX = 4096;\n            byte[] buf = new byte[MAX];\n            for (int bytesRead = in.read(buf, 0, MAX); bytesRead != -1; bytesRead = in.read(buf, 0, MAX)) {\n                out.write(buf, 0, bytesRead);\n            }\n        } catch (IOException e) {\n            LogUtil.error(e);\n            MSException.throwException(Translator.get(\"upload_fail\"));\n        }\n    }\n```\n\n### Patches\n\nThe vulnerability has been fixed in [v2.5.1](https://github.com/metersphere/metersphere/releases/tag/v2.5.1).\n\nhttps://github.com/metersphere/metersphere/commit/3a890eeeb8a6b0887927c876a73bdb3a99a82138 : add validation for file name.\n\n### Workarounds\n\nIt is recommended to upgrade the version to [v2.5.1](https://github.com/metersphere/metersphere/releases/tag/v2.5.1).\n\n### For more information\n\nIf you have any questions or comments about this advisory, please [open an issue](https://github.com/metersphere/metersphere/issues).",
  "severity": [
    {
      "type": "CVSS_V3",
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L"
    }
  ],
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.metersphere:metersphere"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.5.1"
            }
          ]
        }
      ]
    }
  ],
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/metersphere/metersphere/security/advisories/GHSA-9p62-x3c5-hr5p"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46178"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/metersphere/metersphere"
    },
    {
      "type": "WEB",
      "url": "https://github.com/metersphere/metersphere/blob/v2.5.0/framework/sdk-parent/sdk/src/main/java/io/metersphere/commons/utils/FileUtils.java#L5"
    },
    {
      "type": "WEB",
      "url": "https://github.com/metersphere/metersphere/releases/tag/v2.5.1"
    }
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2022-12-30T18:03:47Z",
    "nvd_published_at": "2022-12-29T19:15:00Z"
  }
}