Certain WSO2 products allow unrestricted file upload with resultant remote code execution. The attacker must use a /fileupload endpoint with a Content-Disposition directory traversal sequence to reach a directory under the web root, such as a ../../../../repository/deployment/server/webapps directory. This affects WSO2 API Manager 2.2.0 up to 4.0.0, WSO2 Identity Server 5.2.0 up to 5.11.0, WSO2 Identity Server Analytics 5.4.0, 5.4.1, 5.5.0 and 5.6.0, WSO2 Identity Server as Key Manager 5.3.0 up to 5.11.0, WSO2 Enterprise Integrator 6.2.0 up to 6.6.0, WSO2 Open Banking AM 1.4.0 up to 2.0.0 and WSO2 Open Banking KM 1.4.0, up to 2.0.0.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HWso2 Api Manager
APPWso22.2.0 – 4.0.0Wso2 Enterprise Integrator
APPWso26.2.0 – 6.6.0Wso2 Identity Server
APPWso25.2.0 – 5.11.0Wso2 Identity Server Analytics
APPWso25.4.05.4.15.5.05.6.0Wso2 Identity Server As Key Manager
APPWso25.3.0 – 5.10.0Wso2 Open Banking Am
APPWso21.3.0 – 2.0.0Wso2 Open Banking Iam
APPWso22.0.0Wso2 Open Banking Km
APPWso21.3.0 – 1.5.0
CISA KEV — detailsi
- Vendori
- WSO2
- Producti
- Multiple Products
- Added to KEVi
- April 25, 2022
- Remediation deadline (US Federal)i
- May 16, 2022(overdue)
- Ransomwarei
- Active ransomware campaigns exploit this vulnerability
Apply updates per vendor instructions.
Multiple WSO2 products allow for unrestricted file upload, resulting in remote code execution.
Related vulnerabilities
WSO2 API Manager – RCE przez upload pliku z uprawnieniami administratora
Brak wymuszania uwierzytelniania mTLS w produktach WSO2 — nieautoryzowany dostęp administracyjny
WSO2 API Manager — brak uwierzytelniania w endpoincie DCR umożliwia eskalację uprawnień
Pominięcie kontroli dostępu w produktach WSO2 – nieautoryzowany dostęp administracyjny
Nieprawidłowa kontrola dostępu w wewnętrznych API WSO2 (SOAP/REST)