Cyber Resilience

CVE-2022-44635

High

Published: 29 November 2022

Published
29 November 2022
Modified
25 April 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.1297 94.2th percentile
Risk Priority 25 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-44635 is a high-severity Path Traversal (CWE-22) vulnerability in Apache Fineract. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 5.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Apache Fineract versions 1.8.0 and earlier are affected by a path traversal vulnerability in the file upload component, tracked as CVE-2022-44635 and assigned CWE-22. The flaw permits an authenticated user to perform remote code execution on the server, carrying a CVSS 3.1 score of 8.8 that reflects network-accessible attack vector, low complexity, and full impact on confidentiality, integrity, and availability.

An attacker who already possesses valid credentials can exploit the issue to upload crafted files that traverse directories and execute arbitrary code, thereby gaining control over the affected Fineract instance.

Public advisories from the Apache project direct users to upgrade to version 1.8.1 as the primary mitigation, with corresponding notices published on the project mailing lists and Openwall.

The EPSS probability rose from lower values to a peak of 0.4096 on 2025-12-11 before receding to the current 0.1297, indicating that exploitation interest emerged after disclosure.

EU & UK References

Vulnerability details

Apache Fineract allowed an authenticated user to perform remote code execution due to a path traversal vulnerability in a file upload component of Apache Fineract, allowing an attacker to run remote code. This issue affects Apache Fineract version 1.8.0 and…

more

prior versions. We recommend users to upgrade to 1.8.1.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

apache
fineract
≤ 1.8.1

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References