Vulnerability Details : CVE-2022-29464
Public exploit exists!
Used for ransomware!
Certain WSO2 products allow unrestricted file upload with resultant remote code execution. The attacker must use a /fileupload endpoint with a Content-Disposition directory traversal sequence to reach a directory under the web root, such as a ../../../../repository/deployment/server/webapps directory. This affects WSO2 API Manager 2.2.0 up to 4.0.0, WSO2 Identity Server 5.2.0 up to 5.11.0, WSO2 Identity Server Analytics 5.4.0, 5.4.1, 5.5.0 and 5.6.0, WSO2 Identity Server as Key Manager 5.3.0 up to 5.11.0, WSO2 Enterprise Integrator 6.2.0 up to 6.6.0, WSO2 Open Banking AM 1.4.0 up to 2.0.0 and WSO2 Open Banking KM 1.4.0, up to 2.0.0.
Vulnerability category: Directory traversalExecute code
Products affected by CVE-2022-29464
- cpe:2.3:a:wso2:identity_server:*:*:*:*:*:*:*:*
- cpe:2.3:a:wso2:enterprise_integrator:*:*:*:*:*:*:*:*
- cpe:2.3:a:wso2:api_manager:*:*:*:*:*:*:*:*
- Wso2 » Identity Server As Key ManagerVersions from including (>=) 5.3.0 and up to, including, (<=) 5.10.0cpe:2.3:a:wso2:identity_server_as_key_manager:*:*:*:*:*:*:*:*
- cpe:2.3:a:wso2:identity_server_analytics:5.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:wso2:identity_server_analytics:5.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:wso2:identity_server_analytics:5.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:wso2:identity_server_analytics:5.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:wso2:open_banking_am:*:*:*:*:*:*:*:*
- cpe:2.3:a:wso2:open_banking_iam:2.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:wso2:open_banking_km:*:*:*:*:*:*:*:*
CVE-2022-29464 is in the CISA Known Exploited Vulnerabilities Catalog
This issue is known to have been leveraged as part of a ransomware campaign.
CISA vulnerability name:
WSO2 Multiple Products Unrestrictive Upload of File Vulnerability
CISA required action:
Apply updates per vendor instructions.
CISA description:
Multiple WSO2 products allow for unrestricted file upload, resulting in remote code execution.
Notes:
https://nvd.nist.gov/vuln/detail/CVE-2022-29464
Added on
2022-04-25
Action due date
2022-05-16
Exploit prediction scoring system (EPSS) score for CVE-2022-29464
94.43%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 100 %
Percentile, the proportion of vulnerabilities that are scored at or less
Metasploit modules for CVE-2022-29464
-
WSO2 Arbitrary File Upload to RCE
Disclosure Date: 2022-04-01First seen: 2022-12-23exploit/multi/http/wso2_file_upload_rceThis module abuses a vulnerability in certain WSO2 products that allow unrestricted file upload with resultant remote code execution. This affects WSO2 API Manager 2.2.0 and above through 4.0.0; WSO2 Identity Server 5.2.0 and above through 5.11.0; WSO2 Identity Server
CVSS scores for CVE-2022-29464
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
10.0
|
HIGH | AV:N/AC:L/Au:N/C:C/I:C/A:C |
10.0
|
10.0
|
NIST | |
|
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
MITRE | |
|
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2022-29464
-
The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.Assigned by:
- 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)
- nvd@nist.gov (Primary)
-
The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.Assigned by: nvd@nist.gov (Primary)
References for CVE-2022-29464
-
http://packetstormsecurity.com/files/166921/WSO-Arbitrary-File-Upload-Remote-Code-Execution.html
WSO Arbitrary File Upload / Remote Code Execution ≈ Packet StormExploit;Third Party Advisory;VDB Entry
-
http://www.openwall.com/lists/oss-security/2022/04/22/7
oss-security - CVE-2022-29464 :: WSO2 Unrestricted arbitrary file upload, and remote code to execution vulnerability.Mailing List;Third Party Advisory
-
https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2022/WSO2-2021-1738/
Security Advisory WSO2-2021-1738Vendor Advisory
-
https://github.com/hakivvi/CVE-2022-29464
GitHub - hakivvi/CVE-2022-29464: WSO2 RCE (CVE-2022-29464) exploit and writeup.Exploit;Third Party Advisory
-
https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2021-1738
Security Advisory WSO2-2021-1738 - WSO2 Platform Security - WSO2 DocumentationMitigation;Vendor Advisory
Jump to