CVE-2022-29464
Published: 18 April 2022
Summary
CVE-2022-29464 is a critical-severity Path Traversal (CWE-22) vulnerability in Wso2 Identity Server Analytics. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2022-29464 is an unrestricted file upload vulnerability that permits remote code execution through directory traversal. It affects multiple WSO2 products including API Manager versions 2.2.0 through 4.0.0, Identity Server 5.2.0 through 5.11.0, Identity Server as Key Manager 5.3.0 through 5.11.0, Enterprise Integrator 6.2.0 through 6.6.0, and several related Open Banking and analytics components. The flaw resides in the handling of the /fileupload endpoint, where an attacker-supplied Content-Disposition header containing sequences such as ../../../../repository/deployment/server/webapps allows placement of arbitrary files under the web root.
Unauthenticated remote attackers can exploit the issue over the network by sending a crafted multipart request to the vulnerable endpoint. Successful exploitation grants the ability to write executable code into a web-accessible directory, resulting in full compromise of the confidentiality, integrity, and availability of the affected server with a CVSS score of 9.8.
WSO2 has published a security advisory (WSO2-2021-1738) that describes the affected versions and provides mitigation guidance; public proof-of-concept code and exploit modules have also been released. The associated EPSS score has reached a peak of 0.9750 with a current value of 0.9443, indicating sustained exploitation interest following disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-33802
Vulnerability details
Certain WSO2 products allow unrestricted file upload with resultant remote code execution. The attacker must use a /fileupload endpoint with a Content-Disposition directory traversal sequence to reach a directory under the web root, such as a ../../../../repository/deployment/server/webapps directory. This affects…
more
WSO2 API Manager 2.2.0 up to 4.0.0, WSO2 Identity Server 5.2.0 up to 5.11.0, WSO2 Identity Server Analytics 5.4.0, 5.4.1, 5.5.0 and 5.6.0, WSO2 Identity Server as Key Manager 5.3.0 up to 5.11.0, WSO2 Enterprise Integrator 6.2.0 up to 6.6.0, WSO2 Open Banking AM 1.4.0 up to 2.0.0 and WSO2 Open Banking KM 1.4.0, up to 2.0.0.
- CWE(s)
- KEV Date Added
- 25 April 2022
Related Threats
Threat-Actor AttributionAI
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces validation of file-upload inputs (including Content-Disposition headers) to reject directory traversal sequences and arbitrary file writes to the web root.
Requires explicit access-control enforcement on the /fileupload endpoint so that unauthenticated or unauthorized POST requests are denied before any file is stored.
Restricts the system to only the minimal set of functions, disabling or tightly constraining the unrestricted file-upload capability that the vulnerability exploits.