CVE-2022-36537

CVE-2022-36537 is a high-severity vulnerability in Zkoss Zk Framework with a CVSS 3.x base score of 7.5. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2023-02-27).

Key facts

Description

ZK Framework v9.6.1, 9.6.0.1, 9.5.1.3, 9.0.1.2 and 8.6.4.1 allows attackers to access sensitive information via a crafted POST request sent to the component AuUploader.

CVE-2022-36537: ZK Framework AuUploader Information Disclosure

AI-generated analysis based on the vulnerability data on this page.

Field Value
CVE ID CVE-2022-36537
CVSS v3.1 7.5 HIGH
Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS 95.34% (0.99857 percentile)
Known Exploited Yes — CISA KEV since 2023-02-27
CWE Unknown (not assigned in source data)

Summary

Multiple versions of the ZK Java web framework ship a vulnerable AuUploader component that fails to properly restrict access to file upload metadata and response data. An unauthenticated remote attacker can send a crafted POST request to the AuUploader endpoint and retrieve sensitive information that should not be exposed, resulting in a HIGH-severity information disclosure vulnerability.

Background

ZK is an open-source Java web framework maintained by ZKoss. It is widely used in enterprise applications across Asia-Pacific and in internal business systems globally. The framework's client-side architecture relies on an asynchronous update mechanism (AU) where client widgets communicate with server-side components via endpoints such as AuUploader, which handles file uploads and related metadata exchange.

Root Cause

The root cause of this vulnerability is an access-control flaw in the AuUploader component. The endpoint accepts POST requests without verifying that the requester is authorized to access the upload context or view the response data it returns. The specific code path was addressed in upstream commit 92a29aa9b1daf1fd2d9d188cb6545f0441d54e84.

Because no CWE identifier was assigned in the source data, the most applicable weakness categories are:

  • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor — the response leaks data to unauthenticated parties.
  • CWE-862: Missing Authorization — the endpoint does not enforce access controls before returning data.

Note: The authoritative CWE was not present in the NVD record for this CVE. The classifications above are defensive interpretations based on the disclosed behavior.

Impact

The CVSS v3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N yields a base score of 7.5 (HIGH).

Metric Rating Implication
Attack Vector (AV) Network Exploitable remotely over the internet
Attack Complexity (AC) Low No special conditions required
Privileges Required (PR) None No authentication needed
User Interaction (UI) None Fully automated exploitation possible
Scope (S) Unchanged Impact limited to the vulnerable component
Confidentiality (C) High Sensitive data can be disclosed
Integrity (I) None No direct data modification
Availability (A) None No denial-of-service impact

The High Confidentiality impact is the primary concern: exposed data may include file paths, upload tokens, session-related metadata, or other internal state that aids further attack reconnaissance.

Exploitation Walkthrough (Defensive Perspective)

Ethics & Legal Notice: The following description is provided for defensive understanding only. Testing this vulnerability against systems you do not own or have explicit permission to test may violate computer fraud laws.

  1. Reconnaissance: The attacker identifies a publicly reachable ZK application that uses the default AU endpoint paths (commonly /zkau or similar servlet mappings).
  2. Crafted Request: The attacker sends a POST request to the AuUploader endpoint with a manipulated request body that references an upload ID or context belonging to another user or session.
  3. Information Leakage: The server responds with metadata or file data that the attacker is not authorized to view, such as file names, paths, or internal identifiers.
  4. Amplification: The disclosed information may be combined with other weaknesses (e.g., path traversal or deserialization) to escalate impact.

Defensive takeaway: The exploit is fully unauthenticated and requires only network access, making it suitable for mass-scanning and automated exploitation campaigns.

Affected and Patched Versions

Status Versions
Affected 9.6.1, 9.6.0.1, 9.5.1.3, 9.0.1.2, 8.6.4.1
Not Affected ≥ 8.6.4.2 (per Maven metadata)

The authoritative patched version is 8.6.4.2 or later. All ZK applications using an affected version should be treated as vulnerable until upgraded.

Remediation

Immediate Actions

  1. Upgrade to ZK Framework 8.6.4.2 or the latest stable release in your major version line (9.6.2+, 9.5.1.4+, etc.).
  2. Verify your dependency management files (pom.xml, build.gradle, etc.) do not pin an affected version of org.zkoss.zk:zk.

Compensating Controls (if patching is delayed)

  • WAF Rule: Deploy a Web Application Firewall rule that restricts access to the AuUploader endpoint to authenticated sessions only, or blocks anomalous POST patterns that reference upload IDs outside the current session.
  • Network Segmentation: Ensure ZK applications are not directly exposed to the public internet unless necessary.
  • Monitor Upload Endpoints: Alert on unusual volume of POST requests to AuUploader paths from unexpected source IPs.

Detection

  • Network logs: Look for POST requests to /zkau (or your configured ZK servlet path) with AuUploader in the command data that originate from unauthenticated sessions or return unexpected data in the response.
  • EPSS score of 95.34% with a 99.857 percentile indicates this vulnerability is among the most actively exploited in the wild. Prioritize detection and response.

Assessment

CVE-2022-36537 is a high-priority remediation item. The combination of a 7.5 CVSS base score, an EPSS above 95%, and inclusion in the CISA Known Exploited Vulnerabilities catalog (added 2023-02-27) means active exploitation is not theoretical — it is confirmed in the wild.

Key lessons:

  1. Upload components are high-value targets: File upload handlers often bridge authenticated and unauthenticated code paths; they require rigorous access-control review.
  2. EPSS > 90% + KEV = patch immediately: When a vulnerability scores this high on both CVSS and EPSS and appears on CISA's KEV list, the window for proactive patching has closed; the only responsible action is emergency remediation.

References

Frequently asked questions

What is CVE-2022-36537?
ZK Framework v9.6.1, 9.6.0.1, 9.5.1.3, 9.0.1.2 and 8.6.4.1 allows attackers to access sensitive information via a crafted POST request sent to the component AuUploader.
How severe is CVE-2022-36537?
CVE-2022-36537 has a CVSS 3.x base score of 7.5, rated high severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity none, and availability none.
Is CVE-2022-36537 being actively exploited?
Yes. CVE-2022-36537 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2023-02-27, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2022-36537?
CVE-2022-36537 affects Zkoss Zk Framework. See the affected-products list for the exact vulnerable versions.
How do I fix CVE-2022-36537?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2022-36537 have an EU (EUVD) identifier?
Yes. CVE-2022-36537 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2022-6491. It is also flagged as exploited in the EUVD (since 2023-02-27).
When was CVE-2022-36537 published?
CVE-2022-36537 was published on 2022-08-26 and last updated on 2026-06-17.

References

Affected products (1)

More vulnerabilities in Zkoss Zk Framework

All CVEs affecting Zkoss Zk Framework →