TROYANOSYVIRUS
Volver a CVEs

CVE-2022-29464

CRITICALCISA KEV
9.8

Descripcion

Certain WSO2 products allow unrestricted file upload with resultant remote code execution. The attacker must use a /fileupload endpoint with a Content-Disposition directory traversal sequence to reach a directory under the web root, such as a ../../../../repository/deployment/server/webapps directory. This affects WSO2 API Manager 2.2.0 up to 4.0.0, WSO2 Identity Server 5.2.0 up to 5.11.0, WSO2 Identity Server Analytics 5.4.0, 5.4.1, 5.5.0 and 5.6.0, WSO2 Identity Server as Key Manager 5.3.0 up to 5.11.0, WSO2 Enterprise Integrator 6.2.0 up to 6.6.0, WSO2 Open Banking AM 1.4.0 up to 2.0.0 and WSO2 Open Banking KM 1.4.0, up to 2.0.0.

Detalles CVE

Puntuacion CVSS v3.19.8
SeveridadCRITICAL
Vector CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Vector de ataqueNETWORK
ComplejidadLOW
Privilegios requeridosNONE
Interaccion usuarioNONE
Publicado4/18/2022
Ultima modificacion11/7/2025
Fuentekev
Avistamientos honeypot0

CISA KEV

VendedorWSO2
ProductoMultiple Products
Nombre vulnerabilidadWSO2 Multiple Products Unrestrictive Upload of File Vulnerability
Fecha inclusion KEV2022-04-25
Fecha limite remediacion2022-05-16
Uso en ransomwareKnown

Productos afectados

wso2:api_managerwso2:enterprise_integratorwso2:identity_serverwso2:identity_server_analyticswso2:identity_server_as_key_managerwso2:open_banking_amwso2:open_banking_iamwso2:open_banking_km

Debilidades (CWE)

CWE-22CWE-22

Referencias

http://packetstormsecurity.com/files/166921/WSO-Arbitrary-File-Upload-Remote-Code-Execution.html(cve@mitre.org)
http://www.openwall.com/lists/oss-security/2022/04/22/7(cve@mitre.org)
https://github.com/hakivvi/CVE-2022-29464(cve@mitre.org)
https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2022/WSO2-2021-1738/(cve@mitre.org)
http://packetstormsecurity.com/files/166921/WSO-Arbitrary-File-Upload-Remote-Code-Execution.html(af854a3a-2127-422b-91ae-364da2661108)
http://www.openwall.com/lists/oss-security/2022/04/22/7(af854a3a-2127-422b-91ae-364da2661108)
https://github.com/hakivvi/CVE-2022-29464(af854a3a-2127-422b-91ae-364da2661108)
https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2022/WSO2-2021-1738/(af854a3a-2127-422b-91ae-364da2661108)
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-29464(134c704f-9b21-4f2e-91b3-4a467353bcc0)

Correlaciones IOC

Sin correlaciones registradas

This product uses data from the NVD API but is not endorsed or certified by the NVD.