CVE-2022-29464 Scanner
Detects 'File Upload' vulnerability in WSO2 API Manager, Identity Server, Identity Server Analytics, Identity Server as Key Manager and Enterprise Integrator affects v. WSO2 API Manager 2.2.0 and above through 4.0.0; WSO2 Identity Server 5.2.0 and above through 5.11.0; WSO2 Identity Server Analytics 5.4.0, 5.4.1, 5.5.0, and 5.6.0; WSO2 Identity Server as Key Manager 5.3.0 and above through 5.10.0; and WSO2 Enterprise Integrator 6.2.0 and above through 6.6.0.
Short Info
Level
Critical
Single Scan
Single Scan
Can be used by
Asset Owner
Estimated Time
10 seconds
Time Interval
3 days
Scan only one
Domain, IPv4
Toolbox
-
WSO2 is a comprehensive open-source integration platform used by businesses to digitally transform their operations. Among the WSO2 offerings are the API Manager, Identity Server, Identity Server Analytics, Identity Server as Key Manager, and Enterprise Integrator. The API Manager is a tool for creating APIs, managing their lifecycle, and engaging with developers. The Identity Server provides a centralized authentication and authorization mechanism, and the Identity Server Analytics enables the extraction of valuable insights from the data generated by the server. The Key Manager, on the other hand, provides the functionalities of a digital certificate and key management service. Lastly, the Enterprise Integrator provides a platform for creating integrations between various applications.
The CVE-2022-29464 vulnerability detected in these WSO2 products enables attackers to upload arbitrary files, leading to remote code execution. This vulnerability arises from the unrestricted file upload functionality in the products. An attacker can exploit this vulnerability by using a /fileupload endpoint with a Content-Disposition directory traversal sequence to reach a directory under the web root.
When exploited, the CVE-2022-29464 vulnerability can lead to serious security issues, including the execution of arbitrary code on the target system. An attacker can leverage the remote code execution to gain unauthorized access to sensitive data or disrupt business operations. Such an attack can have severe consequences on the victim organization, including regulatory fines, legal suits, and damage to reputation.
Thanks to the pro features of the s4e.io platform, readers of this article can easily and quickly learn about vulnerabilities that may affect their digital assets. The platform provides a range of vulnerability scanning services that enable businesses to identify and mitigate security issues before they can be exploited. With its easy-to-use interface and comprehensive reporting, s4e.io is the go-to platform for businesses looking to secure their digital assets.
REFERENCES