CVE-2022-29464
CVE-2022-29464 is a critical-severity vulnerability in Wso2 Api Manager with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2022-04-25). The underlying weakness is classified as CWE-22.
Key facts
- Severity: Critical (CVSS 3.x base score 9.8)
- CVSS v2: 10.0
- EPSS exploit prediction: 100% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2022-04-25)
- EU (EUVD) id: EUVD-2022-33802
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2022-04-25)
- Weakness: CWE-22
- Affected product: Wso2 Api Manager
- Published:
- Last modified:
Description
Certain WSO2 products allow unrestricted file upload with resultant remote code execution. The attacker must use a /fileupload endpoint with a Content-Disposition directory traversal sequence to reach a directory under the web root, such as a ../../../../repository/deployment/server/webapps directory. This affects WSO2 API Manager 2.2.0 up to 4.0.0, WSO2 Identity Server 5.2.0 up to 5.11.0, WSO2 Identity Server Analytics 5.4.0, 5.4.1, 5.5.0 and 5.6.0, WSO2 Identity Server as Key Manager 5.3.0 up to 5.11.0, WSO2 Enterprise Integrator 6.2.0 up to 6.6.0, WSO2 Open Banking AM 1.4.0 up to 2.0.0 and WSO2 Open Banking KM 1.4.0, up to 2.0.0.
CVE-2022-29464: WSO2 Path Traversal File Upload Leads to Remote Code Execution
AI-generated analysis based on the vulnerability data on this page.
| Field | Value |
|---|---|
| CVE ID | CVE-2022-29464 |
| CWE | CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
| CVSS v2 | 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C) |
| CVSS v3.1 | 9.8 Critical (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) |
| EPSS | 0.99999 (99.995th percentile) |
| KEV | Yes — added to CISA KEV catalog on 2022-04-25 |
| Published | 2022-04-18 |
| Source | NVD |
Summary
Certain WSO2 products allow unrestricted file upload with resultant remote code execution. An attacker can abuse the /fileupload endpoint by supplying a Content-Disposition header containing a directory traversal sequence to write a malicious file under the web root, such as ../../../../repository/deployment/server/webapps/.
Background
WSO2 provides an open-source integration platform used for API management, identity and access management, and enterprise integration. The affected products expose a file upload endpoint that is intended for legitimate management operations but fails to validate the destination path supplied by the client.
Root Cause
This vulnerability is classified as CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'). The /fileupload endpoint accepts a user-controlled filename from the Content-Disposition header without sanitizing directory traversal sequences (../). This allows an unauthenticated attacker to escape the intended upload directory and write files to arbitrary locations under the web root, including the webapps/ deployment directory.
Impact
With a CVSS v3.1 score of 9.8 (Critical), this vulnerability is trivially exploitable over the network with no authentication, privileges, or user interaction required. The impact is complete compromise of confidentiality, integrity, and availability:
- Confidentiality: Attackers can read sensitive files and exfiltrate data.
- Integrity: Attackers can overwrite application files and deploy malicious web shells.
- Availability: Attackers can crash services or consume resources.
Exploitation Walkthrough
Ethics caveat: This section is provided for defensive awareness only. Never test or exploit vulnerabilities on systems you do not own or have explicit written permission to test.
An attacker crafts an HTTP POST request to a /fileupload endpoint and includes a Content-Disposition header with a traversal sequence such as filename="../../../../repository/deployment/server/webapps/malicious.jsp". The server writes the uploaded JSP or WAR file into a web-accessible directory. The attacker then accesses the deployed web shell via standard HTTP requests, achieving remote code execution.
Affected and Patched Versions
| Product | Affected Versions |
|---|---|
| WSO2 API Manager | 2.2.0 – 4.0.0 |
| WSO2 Identity Server | 5.2.0 – 5.11.0 |
| WSO2 Identity Server Analytics | 5.4.0, 5.4.1, 5.5.0, 5.6.0 |
| WSO2 Identity Server as Key Manager | 5.3.0 – 5.11.0 |
| WSO2 Enterprise Integrator | 6.2.0 – 6.6.0 |
| WSO2 Open Banking AM | 1.4.0 – 2.0.0 |
| WSO2 Open Banking KM | 1.4.0 – 2.0.0 |
Patch details are available in the official WSO2 security advisory (WSO2-2021-1738). Administrators should upgrade to the latest patched releases or apply the security update provided by WSO2.
Remediation
- Upgrade immediately to a patched version of the affected WSO2 product. Consult WSO2 security advisory WSO2-2021-1738 for specific patch levels.
- Restrict access to
/fileuploadendpoints at the WAF, reverse proxy, or network firewall level to authorized management hosts only. - Validate input by enforcing strict allowlisting of permitted upload paths and filenames. Reject any request containing directory traversal sequences.
- Canonicalize paths before performing file operations and ensure the resolved path is within an allowed directory.
- Deploy application whitelisting on the application server to prevent unauthorized JSP or WAR execution.
Detection
- Monitor HTTP POST requests to
/fileuploadendpoints withContent-Dispositionheaders containing../or URL-encoded variants (%2e%2e%2f,%2e%2e%5c). - Alert on unexpected file writes in
repository/deployment/server/webapps/or equivalent directories. - Hunt for newly deployed JSP files or WAR archives in webapp directories.
- Review web access logs for abnormal POST requests to management endpoints followed by GET requests to newly created paths.
Assessment
With an EPSS score of 0.99999 and a 99.995th percentile, exploitation in the wild is virtually certain. CISA added this vulnerability to the Known Exploited Vulnerabilities catalog on 2022-04-25, and it is also tracked in the EUVD (EUVD-2022-33802) with exploitation confirmed since the same date. This makes CVE-2022-29464 a maximum-priority patching candidate.
Key lessons:
- File upload endpoints must validate destination paths with strict allowlisting, not merely blacklist filtering.
- Path traversal in file upload headers remains a classic but devastating vector — always canonicalize and verify paths before writes.
References
- https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2022/WSO2-2021-1738/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-29464
- http://www.openwall.com/lists/oss-security/2022/04/22/7
- http://packetstormsecurity.com/files/166921/WSO-Arbitrary-File-Upload-Remote-Code-Execution.html
- https://github.com/hakivvi/CVE-2022-29464
Frequently asked questions
- What is CVE-2022-29464?
- Certain WSO2 products allow unrestricted file upload with resultant remote code execution. The attacker must use a /fileupload endpoint with a Content-Disposition directory traversal sequence to reach a directory under the web root, such as a ../../../../repository/deployment/server/webapps directory. This affects WSO2 API Manager 2.2.0 up to 4.0.0, WSO2 Identity Server 5.2.0 up to 5.11.0, WSO2 Identity Server Analytics 5.4.0, 5.4.1, 5.5.0 and 5.6.0, WSO2 Identity Server as Key Manager 5.3.0 up to 5.11.0, WSO2 Enterprise Integrator 6.2.0 up to 6.6.0, WSO2 Open Banking AM 1.4.0 up to 2.0.0 and WSO2 Open Banking KM 1.4.0, up to 2.0.0.
- How severe is CVE-2022-29464?
- CVE-2022-29464 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2022-29464 being actively exploited?
- Yes. CVE-2022-29464 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2022-04-25, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2022-29464?
- CVE-2022-29464 primarily affects Wso2 Api Manager. In total, 11 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2022-29464?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2022-29464 have an EU (EUVD) identifier?
- Yes. CVE-2022-29464 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2022-33802. It is also flagged as exploited in the EUVD (since 2022-04-25).
- When was CVE-2022-29464 published?
- CVE-2022-29464 was published on 2022-04-18 and last updated on 2026-06-17.
References
- http://packetstormsecurity.com/files/166921/WSO-Arbitrary-File-Upload-Remote-Code-Execution.html
- http://www.openwall.com/lists/oss-security/2022/04/22/7
- https://github.com/hakivvi/CVE-2022-29464
- https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2022/WSO2-2021-1738/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-29464
Affected products (11)
- cpe:2.3:a:wso2:api_manager:*:*:*:*:*:*:*:*
- cpe:2.3:a:wso2:enterprise_integrator:*:*:*:*:*:*:*:*
- cpe:2.3:a:wso2:identity_server:*:*:*:*:*:*:*:*
- cpe:2.3:a:wso2:identity_server_analytics:5.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:wso2:identity_server_analytics:5.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:wso2:identity_server_analytics:5.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:wso2:identity_server_analytics:5.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:wso2:identity_server_as_key_manager:*:*:*:*:*:*:*:*
- cpe:2.3:a:wso2:open_banking_am:*:*:*:*:*:*:*:*
- cpe:2.3:a:wso2:open_banking_iam:2.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:wso2:open_banking_km:*:*:*:*:*:*:*:*
More vulnerabilities in Wso2 Api Manager
- CVE-2025-9312 — Critical (CVSS 9.8): A missing authentication enforcement vulnerability exists in the mutual TLS (mTLS) implementation used by System REST…
- CVE-2025-9152 — Critical (CVSS 9.8): An improper privilege management vulnerability exists in WSO2 API Manager due to missing authentication and…
- CVE-2025-10611 — Critical (CVSS 9.8): Due to an insufficient access control implementation in multiple WSO2 Products, authentication and authorization checks…
- CVE-2024-6914 — Critical (CVSS 9.8): An incorrect authorization vulnerability exists in multiple WSO2 products due to a business logic flaw in the account…
- CVE-2020-13226 — Critical (CVSS 9.8): WSO2 API Manager 3.0.0 does not properly restrict outbound network access from a Publisher node, opening up the…
- CVE-2025-9804 — Critical (CVSS 9.6): An improper access control vulnerability exists in multiple WSO2 products due to insufficient permission enforcement in…
All CVEs affecting Wso2 Api Manager →
Other CWE-22 (Path Traversal) vulnerabilities
- CVE-2026-48282 — Critical (CVSS 10.0): ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Limitation of a Pathname to a Restricted…
- CVE-2026-54917 — Critical (CVSS 10.0): SeaweedFS is a distributed storage system for object storage (S3), file systems, and Iceberg tables. Prior to 4.30, the…
- CVE-2026-11429 — Critical (CVSS 10.0): Two endpoints in the Vault Service ScriptsController, shared by Altium Enterprise Server and Altium 365, accept file…
- CVE-2026-34909 — Critical (CVSS 10.0): A malicious actor with access to the network could exploit a Path Traversal vulnerability found in UniFi OS devices to…
- CVE-2026-7411 — Critical (CVSS 10.0): In Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10, inadequate path normalization in the Submodel…
- CVE-2026-36767 — Critical (CVSS 10.0): A path traversal vulnerability in the /content/images/add endpoint of shopizer v3.2.5 allows attackers write arbitrary…