CVE-2022-46178: 
Java vulnerability analysis and mitigation

MeterSphere, a one-stop open source continuous testing platform covering test management, interface testing, UI testing and performance testing, was found to contain a path injection vulnerability (CVE-2022-46178) in versions prior to 2.5.1. The vulnerability was discovered and disclosed on December 29, 2022, affecting all MeterSphere installations before version 2.5.1 (GitHub Advisory, NVD).

The vulnerability exists in FileUtils.java where the application fails to validate file names during file upload operations. This allows users to upload files to arbitrary paths by manipulating the file name in upload requests. The vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory - 'Path Traversal'). The CVSS v3.1 base score is 8.8 (HIGH) according to NVD assessment with vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

If exploited, this vulnerability could allow attackers to upload files to any location on the system, potentially leading to arbitrary code execution, system compromise, or unauthorized access to sensitive data. The vulnerability affects confidentiality, integrity, and availability of the system with high severity ratings (GitHub Advisory).

The vulnerability has been fixed in MeterSphere version 2.5.1 with commit 3a890ee that adds validation for file names. Users are strongly recommended to upgrade to version 2.5.1 or later. There are no known workarounds for this vulnerability (GitHub Advisory).