TROYANOSYVIRUS
Voltar para CVEs

CVE-2022-29464

CRITICALCISA KEV
9.8

Descricao

Certain WSO2 products allow unrestricted file upload with resultant remote code execution. The attacker must use a /fileupload endpoint with a Content-Disposition directory traversal sequence to reach a directory under the web root, such as a ../../../../repository/deployment/server/webapps directory. This affects WSO2 API Manager 2.2.0 up to 4.0.0, WSO2 Identity Server 5.2.0 up to 5.11.0, WSO2 Identity Server Analytics 5.4.0, 5.4.1, 5.5.0 and 5.6.0, WSO2 Identity Server as Key Manager 5.3.0 up to 5.11.0, WSO2 Enterprise Integrator 6.2.0 up to 6.6.0, WSO2 Open Banking AM 1.4.0 up to 2.0.0 and WSO2 Open Banking KM 1.4.0, up to 2.0.0.

Detalhes CVE

Pontuacao CVSS v3.19.8
SeveridadeCRITICAL
Vetor CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Vetor de ataqueNETWORK
ComplexidadeLOW
Privilegios necessariosNONE
Interacao do usuarioNONE
Publicado4/18/2022
Ultima modificacao11/7/2025
Fontekev
Avistamentos honeypot0

CISA KEV

FornecedorWSO2
ProdutoMultiple Products
Nome da vulnerabilidadeWSO2 Multiple Products Unrestrictive Upload of File Vulnerability
Data inclusao KEV2022-04-25
Prazo de remediacao2022-05-16
Uso em ransomwareKnown

Produtos afetados

wso2:api_managerwso2:enterprise_integratorwso2:identity_serverwso2:identity_server_analyticswso2:identity_server_as_key_managerwso2:open_banking_amwso2:open_banking_iamwso2:open_banking_km

Fraquezas (CWE)

CWE-22CWE-22

Referencias

http://packetstormsecurity.com/files/166921/WSO-Arbitrary-File-Upload-Remote-Code-Execution.html(cve@mitre.org)
http://www.openwall.com/lists/oss-security/2022/04/22/7(cve@mitre.org)
https://github.com/hakivvi/CVE-2022-29464(cve@mitre.org)
https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2022/WSO2-2021-1738/(cve@mitre.org)
http://packetstormsecurity.com/files/166921/WSO-Arbitrary-File-Upload-Remote-Code-Execution.html(af854a3a-2127-422b-91ae-364da2661108)
http://www.openwall.com/lists/oss-security/2022/04/22/7(af854a3a-2127-422b-91ae-364da2661108)
https://github.com/hakivvi/CVE-2022-29464(af854a3a-2127-422b-91ae-364da2661108)
https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2022/WSO2-2021-1738/(af854a3a-2127-422b-91ae-364da2661108)
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-29464(134c704f-9b21-4f2e-91b3-4a467353bcc0)

Correlacoes IOC

Sem correlacoes registradas

This product uses data from the NVD API but is not endorsed or certified by the NVD.