CVE-2022-44635 (GCVE-0-2022-44635)
Vulnerability from cvelistv5 – Published: 2022-11-29 00:00 – Updated: 2025-04-25 14:51
VLAI?
Title
Apache Fineract allowed an authenticated user to perform remote code execution due to path traversal
Summary
Apache Fineract allowed an authenticated user to perform remote code execution due to a path traversal vulnerability in a file upload component of Apache Fineract, allowing an attacker to run remote code. This issue affects Apache Fineract version 1.8.0 and prior versions. We recommend users to upgrade to 1.8.1.
Severity ?
No CVSS data available.
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Fineract |
Affected:
Apache Fineract 1.8 , ≤ 1.8.0
(custom)
Affected: Apache Fineract 1.7 , ≤ 1.7.0 (custom) |
Credits
We would like to thank Aman Sapra, co-captain of the Super Guesser CTF team & Security researcher at CRED, for reporting this issue, and the Apache Security team for their assistance. We give kudos and karma to @Aleksandar Vidakovic for resolving this CVE.
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T13:54:03.993Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://lists.apache.org/thread/t8q6fmh3o6yqmy69qtqxppk9yg9wfybg"
},
{
"name": "[oss-security] 20221129 CVE-2022-44635: Apache Fineract allowed an authenticated user to perform remote code execution due to path traversal",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/11/29/3"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-44635",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-25T14:50:47.128187Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-25T14:51:14.718Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Apache Fineract",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "1.8.0",
"status": "affected",
"version": "Apache Fineract 1.8",
"versionType": "custom"
},
{
"lessThanOrEqual": "1.7.0",
"status": "affected",
"version": "Apache Fineract 1.7",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "We would like to thank Aman Sapra, co-captain of the Super Guesser CTF team \u0026 Security researcher at CRED, for reporting this issue, and the Apache Security team for their assistance. We give kudos and karma to @Aleksandar Vidakovic for resolving this CVE. "
}
],
"descriptions": [
{
"lang": "en",
"value": "Apache Fineract allowed an authenticated user to perform remote code execution due to a path traversal vulnerability in a file upload component of Apache Fineract, allowing an attacker to run remote code. This issue affects Apache Fineract version 1.8.0 and prior versions. We recommend users to upgrade to 1.8.1."
}
],
"metrics": [
{
"other": {
"content": {
"other": "important"
},
"type": "unknown"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-29T00:00:00.000Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"url": "https://lists.apache.org/thread/t8q6fmh3o6yqmy69qtqxppk9yg9wfybg"
},
{
"name": "[oss-security] 20221129 CVE-2022-44635: Apache Fineract allowed an authenticated user to perform remote code execution due to path traversal",
"tags": [
"mailing-list"
],
"url": "http://www.openwall.com/lists/oss-security/2022/11/29/3"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Fineract allowed an authenticated user to perform remote code execution due to path traversal",
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-44635",
"datePublished": "2022-11-29T00:00:00.000Z",
"dateReserved": "2022-11-02T00:00:00.000Z",
"dateUpdated": "2025-04-25T14:51:14.718Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:fineract:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"1.8.1\", \"matchCriteriaId\": \"0A1DE6E1-E14F-41ED-8AEE-1FCB2AF0506D\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"Apache Fineract allowed an authenticated user to perform remote code execution due to a path traversal vulnerability in a file upload component of Apache Fineract, allowing an attacker to run remote code. This issue affects Apache Fineract version 1.8.0 and prior versions. We recommend users to upgrade to 1.8.1.\"}, {\"lang\": \"es\", \"value\": \"Apache Fineract permiti\\u00f3 a un usuario autenticado realizar la ejecuci\\u00f3n remota de c\\u00f3digo debido a una vulnerabilidad de path traversal en un componente de carga de archivos de Apache Fineract, lo que permit\\u00eda a un atacante ejecutar c\\u00f3digo remoto. Este problema afecta a Apache Fineract versi\\u00f3n 1.8.0 y versiones anteriores. Recomendamos a los usuarios que actualicen a 1.8.1.\"}]",
"id": "CVE-2022-44635",
"lastModified": "2024-11-21T07:28:14.380",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 8.8, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 5.9}]}",
"published": "2022-11-29T15:15:10.897",
"references": "[{\"url\": \"http://www.openwall.com/lists/oss-security/2022/11/29/3\", \"source\": \"security@apache.org\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"https://lists.apache.org/thread/t8q6fmh3o6yqmy69qtqxppk9yg9wfybg\", \"source\": \"security@apache.org\", \"tags\": [\"Mailing List\", \"Vendor Advisory\"]}, {\"url\": \"http://www.openwall.com/lists/oss-security/2022/11/29/3\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"https://lists.apache.org/thread/t8q6fmh3o6yqmy69qtqxppk9yg9wfybg\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Vendor Advisory\"]}]",
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"security@apache.org\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-22\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2022-44635\",\"sourceIdentifier\":\"security@apache.org\",\"published\":\"2022-11-29T15:15:10.897\",\"lastModified\":\"2025-04-25T15:15:33.310\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Apache Fineract allowed an authenticated user to perform remote code execution due to a path traversal vulnerability in a file upload component of Apache Fineract, allowing an attacker to run remote code. This issue affects Apache Fineract version 1.8.0 and prior versions. We recommend users to upgrade to 1.8.1.\"},{\"lang\":\"es\",\"value\":\"Apache Fineract permiti\u00f3 a un usuario autenticado realizar la ejecuci\u00f3n remota de c\u00f3digo debido a una vulnerabilidad de path traversal en un componente de carga de archivos de Apache Fineract, lo que permit\u00eda a un atacante ejecutar c\u00f3digo remoto. Este problema afecta a Apache Fineract versi\u00f3n 1.8.0 y versiones anteriores. Recomendamos a los usuarios que actualicen a 1.8.1.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security@apache.org\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:fineract:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.8.1\",\"matchCriteriaId\":\"0A1DE6E1-E14F-41ED-8AEE-1FCB2AF0506D\"}]}]}],\"references\":[{\"url\":\"http://www.openwall.com/lists/oss-security/2022/11/29/3\",\"source\":\"security@apache.org\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://lists.apache.org/thread/t8q6fmh3o6yqmy69qtqxppk9yg9wfybg\",\"source\":\"security@apache.org\",\"tags\":[\"Mailing List\",\"Vendor Advisory\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2022/11/29/3\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://lists.apache.org/thread/t8q6fmh3o6yqmy69qtqxppk9yg9wfybg\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://lists.apache.org/thread/t8q6fmh3o6yqmy69qtqxppk9yg9wfybg\", \"tags\": [\"x_transferred\"]}, {\"url\": \"http://www.openwall.com/lists/oss-security/2022/11/29/3\", \"name\": \"[oss-security] 20221129 CVE-2022-44635: Apache Fineract allowed an authenticated user to perform remote code execution due to path traversal\", \"tags\": [\"mailing-list\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-03T13:54:03.993Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2022-44635\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-04-25T14:50:47.128187Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-04-25T14:51:10.616Z\"}}], \"cna\": {\"title\": \"Apache Fineract allowed an authenticated user to perform remote code execution due to path traversal\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"credits\": [{\"lang\": \"en\", \"value\": \"We would like to thank Aman Sapra, co-captain of the Super Guesser CTF team \u0026 Security researcher at CRED, for reporting this issue, and the Apache Security team for their assistance. We give kudos and karma to @Aleksandar Vidakovic for resolving this CVE. \"}], \"metrics\": [{\"other\": {\"type\": \"unknown\", \"content\": {\"other\": \"important\"}}}], \"affected\": [{\"vendor\": \"Apache Software Foundation\", \"product\": \"Apache Fineract\", \"versions\": [{\"status\": \"affected\", \"version\": \"Apache Fineract 1.8\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"1.8.0\"}, {\"status\": \"affected\", \"version\": \"Apache Fineract 1.7\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"1.7.0\"}]}], \"references\": [{\"url\": \"https://lists.apache.org/thread/t8q6fmh3o6yqmy69qtqxppk9yg9wfybg\"}, {\"url\": \"http://www.openwall.com/lists/oss-security/2022/11/29/3\", \"name\": \"[oss-security] 20221129 CVE-2022-44635: Apache Fineract allowed an authenticated user to perform remote code execution due to path traversal\", \"tags\": [\"mailing-list\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.0.9\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Apache Fineract allowed an authenticated user to perform remote code execution due to a path traversal vulnerability in a file upload component of Apache Fineract, allowing an attacker to run remote code. This issue affects Apache Fineract version 1.8.0 and prior versions. We recommend users to upgrade to 1.8.1.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-22\", \"description\": \"CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"shortName\": \"apache\", \"dateUpdated\": \"2022-11-29T00:00:00.000Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2022-44635\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-04-25T14:51:14.718Z\", \"dateReserved\": \"2022-11-02T00:00:00.000Z\", \"assignerOrgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"datePublished\": \"2022-11-29T00:00:00.000Z\", \"assignerShortName\": \"apache\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…