CVE-2022-29464 PoC — WSO2 API Manager 路径遍历漏洞

Source

https://github.com/axin2019/CVE-2022-29464

Associated Vulnerability

Title:WSO2 API Manager 路径遍历漏洞 (CVE-2022-29464)
Description:Certain WSO2 products allow unrestricted file upload with resultant remote code execution. The attacker must use a /fileupload endpoint with a Content-Disposition directory traversal sequence to reach a directory under the web root, such as a ../../../../repository/deployment/server/webapps directory. This affects WSO2 API Manager 2.2.0 up to 4.0.0, WSO2 Identity Server 5.2.0 up to 5.11.0, WSO2 Identity Server Analytics 5.4.0, 5.4.1, 5.5.0 and 5.6.0, WSO2 Identity Server as Key Manager 5.3.0 up to 5.11.0, WSO2 Enterprise Integrator 6.2.0 up to 6.6.0, WSO2 Open Banking AM 1.4.0 up to 2.0.0 and WSO2 Open Banking KM 1.4.0, up to 2.0.0.

Description

Readme

# CVE-2022-29464
WSO2 是一个领先的各种 SOA 解决方案，包含了 SOA 相关的基础设施、技术框架和相关工具、流程服务器、应用服务器等。
影响范围

2.2.0 ≤ WSO2 API 管理器 ≤ 4.0.0

5.2.0 ≤ WSO2 Identity Server ≤ 5.11.0

WSO2 Identity Server Analytics 5.4.0, 5.4.1, 5.5.0, 5.6.0

5.3.0 ≤ WSO2 Identity Server as Key Manager ≤ 5.10.0

6.2.0 ≤ WSO2 Enterprise Integrator ≤ 6.6.0

修复建议

目前官方已发布最新版本，下载链接：https://wso2.com/

参考链接

https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2021-1738

File Snapshot


 [4.0K]  /data/pocs/78714ab00312e019103819f3ebb0c4e95d4953ce
├── [ 606]  README.md
└── [6.8K]  Wso2-CVE-2022-29464_2.py

0 directories, 2 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!