CVE-2024-7074
6.8
CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Summary
An arbitrary file upload vulnerability exists in multiple WSO2 products due to improper validation of user input in SOAP admin services. A malicious actor with administrative privileges can upload an arbitrary file to a user-controlled location on the server.
By leveraging this vulnerability, an attacker could upload a specially crafted payload, potentially achieving remote code execution (RCE) on the server. Exploitation requires valid admin credentials, limiting its impact to authorized but potentially malicious users.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| WSO2 | WSO2 Enterprise Integrator | 0 < 6.0.0 | unknown |
| WSO2 | WSO2 Enterprise Integrator | 6.0.0 < 6.0.0.21 | affected |
| WSO2 | WSO2 Enterprise Integrator | 6.1.0 < 6.1.0.38 | affected |
| WSO2 | WSO2 Enterprise Integrator | 6.1.1 < 6.1.1.42 | affected |
| WSO2 | WSO2 Enterprise Integrator | 6.2.0 < 6.2.0.61 | affected |
| WSO2 | WSO2 Enterprise Integrator | 6.3.0 < 6.3.0.69 | affected |
| WSO2 | WSO2 Enterprise Integrator | 6.4.0 < 6.4.0.96 | affected |
| WSO2 | WSO2 Enterprise Integrator | 6.5.0 < 6.5.0.102 | affected |
| WSO2 | WSO2 Enterprise Integrator | 6.6.0 < 6.6.0.198 | affected |
| WSO2 | WSO2 API Manager | 0 < 2.0.0 | unknown |
| WSO2 | WSO2 API Manager | 2.0.0 < 2.0.0.28 | affected |
| WSO2 | WSO2 API Manager | 2.1.0 < 2.1.0.38 | affected |
| WSO2 | WSO2 API Manager | 2.2.0 < 2.2.0.57 | affected |
| WSO2 | WSO2 API Manager | 2.5.0 < 2.5.0.83 | affected |
| WSO2 | WSO2 API Manager | 2.6.0 < 2.6.0.143 | affected |
| WSO2 | WSO2 API Manager | 3.0.0 < 3.0.0.162 | affected |
| WSO2 | WSO2 API Manager | 3.1.0 < 3.1.0.293 | affected |
| WSO2 | WSO2 API Manager | 3.2.0 < 3.2.0.384 | affected |
| WSO2 | WSO2 API Manager | 3.2.1 < 3.2.1.16 | affected |
| WSO2 | WSO2 API Manager | 4.0.0 < 4.0.0.305 | affected |
| WSO2 | WSO2 API Manager | 4.1.0 < 4.1.0.166 | affected |
| WSO2 | WSO2 API Manager | 4.2.0 < 4.2.0.100 | affected |
| WSO2 | WSO2 API Manager | 4.3.0 < 4.3.0.16 | affected |
| WSO2 | WSO2 Enterprise Service Bus | 4.9.0 < 4.9.0.10 | affected |
| WSO2 | WSO2 Enterprise Service Bus | 5.0.0 < 5.0.0.28 | affected |
| WSO2 | WSO2 Enterprise Mobility Manager | 2.2.0 < 2.2.0.27 | affected |
| WSO2 | WSO2 Micro Integrator | 0 < 1.0.0 | unknown |
| WSO2 | WSO2 Micro Integrator | 1.0.0 < 1.0.0.49 | affected |
| WSO2 | WSO2 Open Banking AM | 0 < 1.3.0 | unknown |
| WSO2 | WSO2 Open Banking AM | 1.3.0 < 1.3.0.132 | affected |
| WSO2 | WSO2 Open Banking AM | 1.4.0 < 1.4.0.135 | affected |
| WSO2 | WSO2 Open Banking AM | 1.5.0 < 1.5.0.137 | affected |
| WSO2 | WSO2 Open Banking AM | 2.0.0 < 2.0.0.342 | affected |
| WSO2 | WSO2 Carbon Synapse Artifact Uploader BE | 4.4.10 < 4.4.10.3 | affected |
| WSO2 | WSO2 Carbon Synapse Artifact Uploader BE | 4.6.1 < 4.6.1.4 | affected |
| WSO2 | WSO2 Carbon Synapse Artifact Uploader BE | 4.6.6 < 4.6.6.9 | affected |
| WSO2 | WSO2 Carbon Synapse Artifact Uploader BE | 4.6.10 < 4.6.10.4 | affected |
| WSO2 | WSO2 Carbon Synapse Artifact Uploader BE | 4.6.16 < 4.6.16.2 | affected |
| WSO2 | WSO2 Carbon Synapse Artifact Uploader BE | 4.6.19 < 4.6.19.10 | affected |
| WSO2 | WSO2 Carbon Synapse Artifact Uploader BE | 4.6.64 < 4.6.64.2 | affected |
| WSO2 | WSO2 Carbon Synapse Artifact Uploader BE | 4.6.67 < 4.6.67.15 | affected |
| WSO2 | WSO2 Carbon Synapse Artifact Uploader BE | 4.6.89 < 4.6.89.12 | affected |
| WSO2 | WSO2 Carbon Synapse Artifact Uploader BE | 4.6.105 < 4.6.105.59 | affected |
| WSO2 | WSO2 Carbon Synapse Artifact Uploader BE | 4.6.150 < 4.6.150.11 | affected |
| WSO2 | WSO2 Carbon Synapse Artifact Uploader BE | 4.7.20 < 4.7.20.5 | affected |
| WSO2 | WSO2 Carbon Synapse Artifact Uploader BE | 4.7.30 < 4.7.30.42 | affected |
| WSO2 | WSO2 Carbon Synapse Artifact Uploader BE | 4.7.35 < 4.7.35.5 | affected |
| WSO2 | WSO2 Carbon Synapse Artifact Uploader BE | 4.7.61 < 4.7.61.56 | affected |
| WSO2 | WSO2 Carbon Synapse Artifact Uploader BE | 4.7.99 < 4.7.99.299 | affected |
| WSO2 | WSO2 Carbon Synapse Artifact Uploader BE | 4.7.131 < 4.7.131.15 | affected |
| WSO2 | WSO2 Carbon Synapse Artifact Uploader BE | 4.7.175 < 4.7.175.18 | affected |
| WSO2 | WSO2 Carbon Synapse Artifact Uploader BE | 4.7.188 < 4.7.188.5 | affected |
| WSO2 | WSO2 Carbon Synapse Artifact Uploader BE | 4.7.204 < 4.7.204.5 | affected |
| WSO2 | WSO2 Carbon Synapse Artifact Uploader BE | 4.7.216 <= * | unaffected |
Weaknesses
- CWE-434: CWE-434 Unrestricted Upload of File with Dangerous Type
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.