CVE-2022-29464 in API Manager
Summary
by MITRE • 04/19/2022
Certain WSO2 products allow unrestricted file upload with resultant remote code execution. The attacker must use a /fileupload endpoint with a Content-Disposition directory traversal sequence to reach a directory under the web root, such as a ../../../../repository/deployment/server/webapps directory. This affects WSO2 API Manager 2.2.0 up to 4.0.0, WSO2 Identity Server 5.2.0 up to 5.11.0, WSO2 Identity Server Analytics 5.4.0, 5.4.1, 5.5.0 and 5.6.0, WSO2 Identity Server as Key Manager 5.3.0 up to 5.11.0, WSO2 Enterprise Integrator 6.2.0 up to 6.6.0, WSO2 Open Banking AM 1.4.0 up to 2.0.0 and WSO2 Open Banking KM 1.4.0, up to 2.0.0.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 11/07/2025
The vulnerability described in CVE-2022-29464 represents a critical security flaw in multiple WSO2 enterprise software products that enables unauthorized remote code execution through unrestricted file upload capabilities. This vulnerability exists within specific WSO2 products including API Manager, Identity Server, Identity Server Analytics, Identity Server as Key Manager, Enterprise Integrator, and Open Banking components across their respective version ranges. The flaw stems from insufficient validation of file upload operations, particularly when utilizing the /fileupload endpoint which accepts Content-Disposition headers containing directory traversal sequences. This allows attackers to bypass normal file upload restrictions and place malicious files directly into web application directories, potentially compromising the entire system.
The technical implementation of this vulnerability leverages directory traversal techniques to manipulate the file upload destination path, specifically targeting directories under the web root such as the repository/deployment/server/webapps directory structure. This allows attackers to upload malicious files with extensions that will be executed by the web server, effectively providing a direct pathway to remote code execution. The vulnerability is classified as a directory traversal attack pattern that aligns with CWE-22, which specifically addresses improper limitation of a pathname to a restricted directory. The exploitation requires minimal prerequisites since the affected endpoints are typically accessible without authentication, making this vulnerability particularly dangerous in production environments where such endpoints remain exposed.
The operational impact of this vulnerability extends far beyond simple file upload capabilities, as it provides attackers with complete control over affected systems. Successful exploitation can result in data breaches, system compromise, service disruption, and potential lateral movement within network environments. Organizations using affected WSO2 products face significant risk of unauthorized access to sensitive data, as the vulnerability allows attackers to upload web shells, backdoors, or other malicious payloads that can persist across system reboots. The widespread nature of affected products means that organizations with multiple WSO2 deployments are particularly vulnerable, as a single compromised endpoint can potentially impact the entire enterprise infrastructure. This vulnerability also aligns with ATT&CK technique T1190, which covers exploitation of remote services, and T1059, covering command and scripting interpreter execution.
Mitigation strategies for CVE-2022-29464 should prioritize immediate patching of all affected WSO2 products to the latest available versions that contain security fixes. Organizations should implement network segmentation and access controls to restrict access to file upload endpoints, particularly those exposed to untrusted networks. Additional protective measures include implementing strict file type validation, disabling unnecessary file upload functionality, and monitoring for suspicious file upload activities. Security teams should also consider implementing web application firewalls to detect and block directory traversal attempts, while conducting thorough vulnerability assessments to identify any other potentially exposed endpoints. The remediation process must include comprehensive testing to ensure that patches do not introduce regressions in existing functionality, and organizations should establish incident response procedures to quickly address any exploitation attempts that may occur before full patch deployment.