CVE-2022-29464

CVE-2022-29464 is a critical-severity vulnerability in Wso2 Api Manager with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2022-04-25). The underlying weakness is classified as CWE-22.

Key facts

Description

Certain WSO2 products allow unrestricted file upload with resultant remote code execution. The attacker must use a /fileupload endpoint with a Content-Disposition directory traversal sequence to reach a directory under the web root, such as a ../../../../repository/deployment/server/webapps directory. This affects WSO2 API Manager 2.2.0 up to 4.0.0, WSO2 Identity Server 5.2.0 up to 5.11.0, WSO2 Identity Server Analytics 5.4.0, 5.4.1, 5.5.0 and 5.6.0, WSO2 Identity Server as Key Manager 5.3.0 up to 5.11.0, WSO2 Enterprise Integrator 6.2.0 up to 6.6.0, WSO2 Open Banking AM 1.4.0 up to 2.0.0 and WSO2 Open Banking KM 1.4.0, up to 2.0.0.

CVE-2022-29464: WSO2 Path Traversal File Upload Leads to Remote Code Execution

AI-generated analysis based on the vulnerability data on this page.

Field Value
CVE ID CVE-2022-29464
CWE CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSS v2 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS v3.1 9.8 Critical (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
EPSS 0.99999 (99.995th percentile)
KEV Yes — added to CISA KEV catalog on 2022-04-25
Published 2022-04-18
Source NVD

Summary

Certain WSO2 products allow unrestricted file upload with resultant remote code execution. An attacker can abuse the /fileupload endpoint by supplying a Content-Disposition header containing a directory traversal sequence to write a malicious file under the web root, such as ../../../../repository/deployment/server/webapps/.

Background

WSO2 provides an open-source integration platform used for API management, identity and access management, and enterprise integration. The affected products expose a file upload endpoint that is intended for legitimate management operations but fails to validate the destination path supplied by the client.

Root Cause

This vulnerability is classified as CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'). The /fileupload endpoint accepts a user-controlled filename from the Content-Disposition header without sanitizing directory traversal sequences (../). This allows an unauthenticated attacker to escape the intended upload directory and write files to arbitrary locations under the web root, including the webapps/ deployment directory.

Impact

With a CVSS v3.1 score of 9.8 (Critical), this vulnerability is trivially exploitable over the network with no authentication, privileges, or user interaction required. The impact is complete compromise of confidentiality, integrity, and availability:

  • Confidentiality: Attackers can read sensitive files and exfiltrate data.
  • Integrity: Attackers can overwrite application files and deploy malicious web shells.
  • Availability: Attackers can crash services or consume resources.

Exploitation Walkthrough

Ethics caveat: This section is provided for defensive awareness only. Never test or exploit vulnerabilities on systems you do not own or have explicit written permission to test.

An attacker crafts an HTTP POST request to a /fileupload endpoint and includes a Content-Disposition header with a traversal sequence such as filename="../../../../repository/deployment/server/webapps/malicious.jsp". The server writes the uploaded JSP or WAR file into a web-accessible directory. The attacker then accesses the deployed web shell via standard HTTP requests, achieving remote code execution.

Affected and Patched Versions

Product Affected Versions
WSO2 API Manager 2.2.0 – 4.0.0
WSO2 Identity Server 5.2.0 – 5.11.0
WSO2 Identity Server Analytics 5.4.0, 5.4.1, 5.5.0, 5.6.0
WSO2 Identity Server as Key Manager 5.3.0 – 5.11.0
WSO2 Enterprise Integrator 6.2.0 – 6.6.0
WSO2 Open Banking AM 1.4.0 – 2.0.0
WSO2 Open Banking KM 1.4.0 – 2.0.0

Patch details are available in the official WSO2 security advisory (WSO2-2021-1738). Administrators should upgrade to the latest patched releases or apply the security update provided by WSO2.

Remediation

  1. Upgrade immediately to a patched version of the affected WSO2 product. Consult WSO2 security advisory WSO2-2021-1738 for specific patch levels.
  2. Restrict access to /fileupload endpoints at the WAF, reverse proxy, or network firewall level to authorized management hosts only.
  3. Validate input by enforcing strict allowlisting of permitted upload paths and filenames. Reject any request containing directory traversal sequences.
  4. Canonicalize paths before performing file operations and ensure the resolved path is within an allowed directory.
  5. Deploy application whitelisting on the application server to prevent unauthorized JSP or WAR execution.

Detection

  • Monitor HTTP POST requests to /fileupload endpoints with Content-Disposition headers containing ../ or URL-encoded variants (%2e%2e%2f, %2e%2e%5c).
  • Alert on unexpected file writes in repository/deployment/server/webapps/ or equivalent directories.
  • Hunt for newly deployed JSP files or WAR archives in webapp directories.
  • Review web access logs for abnormal POST requests to management endpoints followed by GET requests to newly created paths.

Assessment

With an EPSS score of 0.99999 and a 99.995th percentile, exploitation in the wild is virtually certain. CISA added this vulnerability to the Known Exploited Vulnerabilities catalog on 2022-04-25, and it is also tracked in the EUVD (EUVD-2022-33802) with exploitation confirmed since the same date. This makes CVE-2022-29464 a maximum-priority patching candidate.

Key lessons:

  1. File upload endpoints must validate destination paths with strict allowlisting, not merely blacklist filtering.
  2. Path traversal in file upload headers remains a classic but devastating vector — always canonicalize and verify paths before writes.

References

Frequently asked questions

What is CVE-2022-29464?
Certain WSO2 products allow unrestricted file upload with resultant remote code execution. The attacker must use a /fileupload endpoint with a Content-Disposition directory traversal sequence to reach a directory under the web root, such as a ../../../../repository/deployment/server/webapps directory. This affects WSO2 API Manager 2.2.0 up to 4.0.0, WSO2 Identity Server 5.2.0 up to 5.11.0, WSO2 Identity Server Analytics 5.4.0, 5.4.1, 5.5.0 and 5.6.0, WSO2 Identity Server as Key Manager 5.3.0 up to 5.11.0, WSO2 Enterprise Integrator 6.2.0 up to 6.6.0, WSO2 Open Banking AM 1.4.0 up to 2.0.0 and WSO2 Open Banking KM 1.4.0, up to 2.0.0.
How severe is CVE-2022-29464?
CVE-2022-29464 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2022-29464 being actively exploited?
Yes. CVE-2022-29464 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2022-04-25, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2022-29464?
CVE-2022-29464 primarily affects Wso2 Api Manager. In total, 11 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2022-29464?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2022-29464 have an EU (EUVD) identifier?
Yes. CVE-2022-29464 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2022-33802. It is also flagged as exploited in the EUVD (since 2022-04-25).
When was CVE-2022-29464 published?
CVE-2022-29464 was published on 2022-04-18 and last updated on 2026-06-17.

References

Affected products (11)

More vulnerabilities in Wso2 Api Manager

All CVEs affecting Wso2 Api Manager →

Other CWE-22 (Path Traversal) vulnerabilities

Browse all CWE-22 (Path Traversal) vulnerabilities →