Vulnerability Details : CVE-2022-29464
Certain WSO2 products allow unrestricted file upload with resultant remote code execution. The attacker must use a /fileupload endpoint with a Content-Disposition directory traversal sequence to reach a directory under the web root, such as a ../../../../repository/deployment/server/webapps directory. This affects WSO2 API Manager 2.2.0 and above through 4.0.0; WSO2 Identity Server 5.2.0 and above through 5.11.0; WSO2 Identity Server Analytics 5.4.0, 5.4.1, 5.5.0, and 5.6.0; WSO2 Identity Server as Key Manager 5.3.0 and above through 5.10.0; and WSO2 Enterprise Integrator 6.2.0 and above through 6.6.0.
Vulnerability category: Directory traversalExecute code
At least one public exploit which can be used to exploit this vulnerability exists!
CVE-2022-29464
is in the CISA Known Exploited Vulnerabilities Catalog
CISA vulnerability name:
WSO2 Multiple Products Unrestrictive Upload of File Vulnerability
CISA required action:
Apply updates per vendor instructions.
CISA description:
Multiple WSO2 products allow for unrestricted file upload, resulting in remote code execution.
Added on
2022-04-25
Action due date
2022-05-16
Exploit prediction scoring system (EPSS) score for CVE-2022-29464
Probability of exploitation activity in the next 30 days: 97.48%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 100 % EPSS Score History EPSS FAQ
Metasploit modules for CVE-2022-29464
-
WSO2 Arbitrary File Upload to RCE
Disclosure Date : 2022-04-01exploit/multi/http/wso2_file_upload_rceThis module abuses a vulnerability in certain WSO2 products that allow unrestricted file upload with resultant remote code execution. This affects WSO2 API Manager 2.2.0 and above through 4.0.0; WSO2 Identity Server 5.2.0 and above through 5.11.0; WSO2 Identity Server Analytics 5.4.0, 5.4.1, 5.5.0, and 5.6.0; WSO2 Identity Server as Key Manager 5.3.0 and above through 5.10.0; and WSO2 Enterprise Integrator 6.2.0 and above through 6.6.0. Authors: - Orange Tsai - hakivvi - wvu <[email protected]> - Jack Heysel <[email protected]>
CVSS scores for CVE-2022-29464
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|
|
10.0
|
HIGH | AV:N/AC:L/Au:N/C:C/I:C/A:C |
10.0
|
10.0
|
[email protected] |
|
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
[email protected] |
|
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
[email protected] |
CWE ids for CVE-2022-29464
-
The product allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment.Assigned by: [email protected] (Primary)
References for CVE-2022-29464
-
http://packetstormsecurity.com/files/166921/WSO-Arbitrary-File-Upload-Remote-Code-Execution.html
Exploit;Third Party Advisory;VDB Entry
-
http://www.openwall.com/lists/oss-security/2022/04/22/7
Mailing List;Third Party Advisory
-
https://github.com/hakivvi/CVE-2022-29464
Exploit;Third Party Advisory
-
https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2021-1738
Mitigation;Vendor Advisory
Products affected by CVE-2022-29464
- cpe:2.3:a:wso2:identity_server:*:*:*:*:*:*:*:*
- cpe:2.3:a:wso2:enterprise_integrator:*:*:*:*:*:*:*:*
- cpe:2.3:a:wso2:api_manager:*:*:*:*:*:*:*:*
- Wso2 » Identity Server As Key ManagerVersions from including (>=) 5.3.0 and up to, including, (<=) 5.10.0cpe:2.3:a:wso2:identity_server_as_key_manager:*:*:*:*:*:*:*:*
- cpe:2.3:a:wso2:identity_server_analytics:5.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:wso2:identity_server_analytics:5.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:wso2:identity_server_analytics:5.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:wso2:identity_server_analytics:5.6.0:*:*:*:*:*:*:*