TROYANOSYVIRUS
Zuruck zu CVEs

CVE-2022-29464

CRITICALCISA KEV
9.8

Beschreibung

Certain WSO2 products allow unrestricted file upload with resultant remote code execution. The attacker must use a /fileupload endpoint with a Content-Disposition directory traversal sequence to reach a directory under the web root, such as a ../../../../repository/deployment/server/webapps directory. This affects WSO2 API Manager 2.2.0 up to 4.0.0, WSO2 Identity Server 5.2.0 up to 5.11.0, WSO2 Identity Server Analytics 5.4.0, 5.4.1, 5.5.0 and 5.6.0, WSO2 Identity Server as Key Manager 5.3.0 up to 5.11.0, WSO2 Enterprise Integrator 6.2.0 up to 6.6.0, WSO2 Open Banking AM 1.4.0 up to 2.0.0 and WSO2 Open Banking KM 1.4.0, up to 2.0.0.

CVE Details

CVSS v3.1 Bewertung9.8
SchweregradCRITICAL
CVSS VektorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AngriffsvektorNETWORK
KomplexitatLOW
Erforderliche PrivilegienNONE
BenutzerinteraktionNONE
Veroffentlicht4/18/2022
Zuletzt geandert11/7/2025
Quellekev
Honeypot-Sichtungen0

CISA KEV

HerstellerWSO2
ProduktMultiple Products
SchwachstellennameWSO2 Multiple Products Unrestrictive Upload of File Vulnerability
KEV Aufnahmedatum2022-04-25
Behebungsfrist2022-05-16
Ransomware-NutzungKnown

Betroffene Produkte

wso2:api_managerwso2:enterprise_integratorwso2:identity_serverwso2:identity_server_analyticswso2:identity_server_as_key_managerwso2:open_banking_amwso2:open_banking_iamwso2:open_banking_km

Schwachen (CWE)

CWE-22CWE-22

Referenzen

http://packetstormsecurity.com/files/166921/WSO-Arbitrary-File-Upload-Remote-Code-Execution.html(cve@mitre.org)
http://www.openwall.com/lists/oss-security/2022/04/22/7(cve@mitre.org)
https://github.com/hakivvi/CVE-2022-29464(cve@mitre.org)
https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2022/WSO2-2021-1738/(cve@mitre.org)
http://packetstormsecurity.com/files/166921/WSO-Arbitrary-File-Upload-Remote-Code-Execution.html(af854a3a-2127-422b-91ae-364da2661108)
http://www.openwall.com/lists/oss-security/2022/04/22/7(af854a3a-2127-422b-91ae-364da2661108)
https://github.com/hakivvi/CVE-2022-29464(af854a3a-2127-422b-91ae-364da2661108)
https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2022/WSO2-2021-1738/(af854a3a-2127-422b-91ae-364da2661108)
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-29464(134c704f-9b21-4f2e-91b3-4a467353bcc0)

IOC Korrelationen

Keine Korrelationen erfasst

This product uses data from the NVD API but is not endorsed or certified by the NVD.