Main Vulnerability Database Exploits ID:8731 - Exploit for Arbitrary file upload in WSO2 Inc. products - CVE-2022-29464

ID:8731 - Exploit for Arbitrary file upload in WSO2 Inc. products - CVE-2022-29464

Published: January 11, 2023

Vulnerability identifier: #VU62638

Vulnerability risk: Critical

CVE-ID: CVE-2022-29464

CWE-ID: CWE-434

Exploitation vector: Remote access

Vulnerable software:
WSO2 API Manager
WSO2 Identity Server
WSO2 Identity Server Analytics
WSO2 Identity Server as Key Manager
WSO2 Enterprise Integrator
Open Banking AM
Open Banking KM

Link to public exploit:

https://github.com/amit-pathak009/CVE-2022-29464-mass

Vulnerability description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to insufficient validation of files during file upload at the /fileupload endpoint. A remote non-authenticated attacker can upload a malicious file with a Content-Disposition directory traversal sequence to place it under the webroot directory and execute it on the server.

Successful exploitation of the vulnerability may allow an attacker to compromise the affected system.

Remediation

Install updates from vendor's website.

ID:8731 - Exploit for Arbitrary file upload in WSO2 Inc. products - CVE-2022-29464

Link to public exploit:

Vulnerability description

Remediation

Please verify you're human