CVE-2022-29464 – WSO2 Multiple Products Unrestrictive Upload of File Vulnerability

https://notcve.org/view.php?id=CVE-2022-29464

18 Apr 2022 — Certain WSO2 products allow unrestricted file upload with resultant remote code execution. The attacker must use a /fileupload endpoint with a Content-Disposition directory traversal sequence to reach a directory under the web root, such as a ../../../../repository/deployment/server/webapps directory. This affects WSO2 API Manager 2.2.0 up to 4.0.0, WSO2 Identity Server 5.2.0 up to 5.11.0, WSO2 Identity Server Analytics 5.4.0, 5.4.1, 5.5.0 and 5.6.0, WSO2 Identity Server as Key Manager 5.3.0 up to 5.11.0, W... • https://packetstorm.news/files/id/166921 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •