MeterSphere Path Traversal via Unvalidated File Upload (2.5.0, Fixed v2.5.1)
CVE-2022-46178 Published on December 29, 2022

Path Traversal In MeterSpere allows file upload to any path
MeterSphere is a one-stop open source continuous testing platform, covering test management, interface testing, UI testing and performance testing. Versions prior to 2.5.1 allow users to upload a file, but do not validate the file name, which may lead to upload file to any path. The vulnerability has been fixed in v2.5.1. There are no workarounds.

Github Repository NVD

Vulnerability Analysis

CVE-2022-46178 is exploitable with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. Public availability of a proof of concept (POC) exploit exists for CVE-2022-46178. The potential impact of an exploit of this vulnerability is considered to be low. considered to have a small impact on confidentiality and integrity and availability.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
LOW
User Interaction:
NONE
Scope:
CHANGED
Confidentiality Impact:
LOW
Integrity Impact:
LOW
Availability Impact:
LOW

Weakness Type

What is a Directory traversal Vulnerability?

The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

CVE-2022-46178 has been classified to as a Directory traversal vulnerability or weakness.


Products Associated with CVE-2022-46178

Want to know whenever a new CVE is published for Metersphere? stack.watch will email you.

Metersphere
 

Affected Versions

metersphere Version < v2.5.1 is affected by CVE-2022-46178

Vulnerable Packages

The following package name and versions may be associated with CVE-2022-46178

Package Manager Vulnerable Package Versions Fixed In
maven io.metersphere:metersphere < 2.5.1 2.5.1

Exploit Probability

EPSS
0.58%
Percentile
69.21%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.