CVE-2022-36537
Published: 26 August 2022
Summary
CVE-2022-36537 is a high-severity an unspecified weakness vulnerability in Zkoss Zk Framework. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
ZK Framework versions 9.6.1, 9.6.0.1, 9.5.1.3, 9.0.1.2, and 8.6.4.1 are affected by a vulnerability in the AuUploader component that allows unauthorized access to sensitive information when a crafted POST request is processed. The issue carries a CVSS 3.1 score of 7.5 reflecting network attack vector, low complexity, and no required privileges or user interaction, with the impact limited to high confidentiality loss.
Remote unauthenticated attackers can send malicious POST requests to the AuUploader endpoint and retrieve confidential data stored or processed by the framework. No authentication or user interaction is needed, enabling direct information disclosure from exposed instances.
Advisories reference ZK tracker entry ZK-5150 along with CISA alerts on active exploitation of the ZK Java framework flaw, and the CVE is listed in the CISA known exploited vulnerabilities catalog.
The associated EPSS score reached a peak of 0.9686 with a current value of 0.9394, indicating sustained high exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-6491
Vulnerability details
ZK Framework v9.6.1, 9.6.0.1, 9.5.1.3, 9.0.1.2 and 8.6.4.1 allows attackers to access sensitive information via a crafted POST request sent to the component AuUploader.
- CWE(s)
- KEV Date Added
- 27 February 2023
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces access control decisions on the AuUploader endpoint to block unauthenticated requests that exfiltrate sensitive data.
Requires validation of the specially crafted POST request before the AuUploader component processes or discloses information.
Restricts network traffic to the vulnerable AuUploader component, limiting remote unauthenticated access from external attackers.