A Critical Unauthenticated Remote Code Execution (RCE) Flaw Found in WSO2 API Manager, Identity Server & Enterprise Integrator

21 April 2022 [NO.TCSA : 20220422-1-1-P]

PUBLISHED:
21 April 2022

Remote Code Execution (RCE) Flaw Found in WSO2 API Manager, Identity Server & Enterprise Integrator

A Critical Unauthenticated Remote Code Execution (RCE) through an arbitrary file upload was found in the management console of WSO2 API Manager, Identity Server, Enterprise Integrator. The vulnerability has a CVSSv3 score of 9.8 out of 10, which indicates the issue is critical. The flaw is assigned with CVE-2022-29464 & WSO2 Security Advisory WSO2-2021-1738. Proof of Concept of exploits is available for the vulnerability. By leveraging the vulnerability, an unauthenticated malicious attacker may perform a remote code execution through arbitrary file upload and perform a complete server/system take over.

Affected Versions

  • WSO2 API Manager 2.2.0 and above
  • WSO2 Identity Server 5.2.0 and above
  • WSO2 Identity Server Analytics 5.4.0, 5.4.1, 5.5.0, 5.6.0
  • WSO2 Identity Server as Key Manager 5.3.0 and above
  • WSO2 Enterprise Integrator 6.2.0 and above

Mitigation

Apply the security updates released by WSO2 or migrate to the latest version of the product. Additionally, WSO2 has released temporary mitigations which is available in Security Advisory WSO2-2021-1738.

More Information

  • Security Advisory WSO2-2021-1738 – https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2021-1738
  • Detailed Guide of Root Cause – https://github.com/hakivvi/CVE-2022-29464
16 April 2024 [NO.TCSA : 20240416-1-1-P]

Critical Command Injection Vulnerability Found in Palo Alto Networks GlobalProtect

READ MORE READ MORE
9 February 2024 [NO.TCSA : 20240209-1-1-P]

Critical Remote Code Execution Vulnerability Found in FortiOS SSL VPN

READ MORE READ MORE
13 July 2023 [NO.TCSA : 20230713-1-1-P]

Fortinet Patches Critical Remote Code Execution Vulnerability in FortiOS/FortiProxy

READ MORE READ MORE
Read More BACK TO THREAT BULLETIN