CVE-2022-29464
- Source
- https://cve.org/CVERecord?id=CVE-2022-29464
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-29464.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2022-29464
- Published
- 2022-04-18T22:15:09.027Z
- Modified
- 2026-03-14T14:53:50.298657Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
Certain WSO2 products allow unrestricted file upload with resultant remote code execution. The attacker must use a /fileupload endpoint with a Content-Disposition directory traversal sequence to reach a directory under the web root, such as a ../../../../repository/deployment/server/webapps directory. This affects WSO2 API Manager 2.2.0 up to 4.0.0, WSO2 Identity Server 5.2.0 up to 5.11.0, WSO2 Identity Server Analytics 5.4.0, 5.4.1, 5.5.0 and 5.6.0, WSO2 Identity Server as Key Manager 5.3.0 up to 5.11.0, WSO2 Enterprise Integrator 6.2.0 up to 6.6.0, WSO2 Open Banking AM 1.4.0 up to 2.0.0 and WSO2 Open Banking KM 1.4.0, up to 2.0.0.
- References
-
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-29464
- http://www.openwall.com/lists/oss-security/2022/04/22/7
- https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2022/WSO2-2021-1738/
- http://packetstormsecurity.com/files/166921/WSO-Arbitrary-File-Upload-Remote-Code-Execution.html
- https://github.com/hakivvi/CVE-2022-29464
Affected packages
Git / github.com/wso2-attic/analytics-is
Affected ranges
- Type
- GIT
- Repo
- https://github.com/wso2-attic/analytics-is
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedLast affectedIntroduced0 Unknown introduced commit / All previous commits are affectedLast affectedIntroduced0 Unknown introduced commit / All previous commits are affectedLast affectedIntroduced0 Unknown introduced commit / All previous commits are affectedLast affected
- Database specific
{ "versions": [ { "introduced": "0" }, { "last_affected": "5.4.0" }, { "introduced": "0" }, { "last_affected": "5.4.1" }, { "introduced": "0" }, { "last_affected": "5.5.0" }, { "introduced": "0" }, { "last_affected": "5.6.0" } ] }
- Type
- GIT
- Repo
- https://github.com/wso2/product-apim
- Events
-
IntroducedLast affectedIntroduced0 Unknown introduced commit / All previous commits are affectedLast affected
- Database specific
{ "versions": [ { "introduced": "2.2.0" }, { "last_affected": "4.0.0" }, { "introduced": "0" }, { "last_affected": "2.0.0" } ] }
Affected versions
4.*
4.0.0-beta
v2.*
v2.2.0
v2.2.0-update1
v2.2.0-update2
v2.2.0-update3
v2.2.0-update4
v2.2.0-update5
v2.2.0-update6
v2.2.0-update7
v2.5.0
v2.5.0-Alpha
v2.5.0-Beta
v2.5.0-rc1
v2.5.0-rc2
v2.5.0-rc3
v2.5.0-rc4
v2.6.0
v2.6.0-alpha
v2.6.0-alpha2
v2.6.0-beta
v2.6.0-beta2
v2.6.0-m1
v2.6.0-m2
v2.6.0-rc1
v2.6.0-rc2
v2.6.0-rc3
v3.*
v3.0.0
v3.0.0-alpha
v3.0.0-alpha2
v3.0.0-beta
v3.0.0-m32
v3.0.0-m33
v3.0.0-m34
v3.0.0-m35
v3.0.0-rc1
v3.0.0-rc2
v3.0.0-rc3
v3.1.0
v3.1.0-alpha
v3.1.0-beta
v3.1.0-m1
v3.1.0-m2
v3.1.0-m3
v3.1.0-m4
v3.1.0-m5
v3.1.0-rc1
v3.1.0-rc2
v3.1.0-rc3
v3.2.0
v3.2.0-alpha
v3.2.0-beta
v3.2.0-m1
v3.2.0-rc1
v3.2.0-rc2
v3.2.0-rc3
v3.2.0-rc4
v3.2.0-rc5
v3.2.0-rc6
v4.*
v4.0.0
v4.0.0-alpha
v4.0.0-beta
v4.0.0-m1
v4.0.0-m2
v4.0.0-m3
v4.0.0-m4
v4.0.0-m5
v4.0.0-m6
v4.0.0-m7
v4.0.0-m8
v4.0.0-rc
v5.*
v5.2.0-beta2
v5.2.0-latest
v5.3.0
v5.3.0-alpha2
v5.3.0-rc1
v5.3.0-rc2
v5.3.0-rc3
v5.4.0
v5.4.0-beta
Database specific
unresolved_ranges
[
{
"events": [
{
"introduced": "6.2.0"
},
{
"last_affected": "6.6.0"
}
]
},
{
"events": [
{
"introduced": "5.2.0"
},
{
"last_affected": "5.11.0"
}
]
},
{
"events": [
{
"introduced": "5.3.0"
},
{
"last_affected": "5.10.0"
}
]
},
{
"events": [
{
"introduced": "1.3.0"
},
{
"last_affected": "2.0.0"
}
]
},
{
"events": [
{
"introduced": "1.3.0"
},
{
"last_affected": "1.5.0"
}
]
}
]
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-29464.json"