CVE-2022-46178

Name of the Vulnerable Software and Affected Versions MeterSphere versions prior to 2.5.1

Description The issue allows users to upload a file without validating the file name, potentially leading to uploading files to any path if the file name in the upload request is falsified. This is due to a lack of validation in the FileUtils.java file, specifically in the createFile function, which does not check the filePath. The vulnerability has been fixed in version 2.5.1.

Recommendations For versions prior to 2.5.1, upgrade to version 2.5.1 to resolve the issue. As a temporary workaround, consider restricting file upload capabilities until the update can be applied. Avoid using the createFile function in FileUtils.java until the issue is resolved.