CVE-2024-7074

Description

An arbitrary file upload vulnerability exists in multiple WSO2 products due to improper validation of user input in SOAP admin services. A malicious actor with administrative privileges can upload an arbitrary file to a user-controlled location on the server. By leveraging this vulnerability, an attacker could upload a specially crafted payload, potentially achieving remote code execution (RCE) on the server. Exploitation requires valid admin credentials, limiting its impact to authorized but potentially malicious users.

CVSS breakdown

CVSS 3.1

Attack Vector

Adjacent

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Affected products

WSO2 / WSO2 API Manager2.6.0 – 2.6.0.143
WSO2 / WSO2 API Manager4.3.0 – 4.3.0.16
WSO2 / WSO2 API Manager4.2.0 – 4.2.0.100
WSO2 / WSO2 API Manager4.1.0 – 4.1.0.166
WSO2 / WSO2 API Manager4.0.0 – 4.0.0.305
WSO2 / WSO2 API Manager3.2.1 – 3.2.1.16
WSO2 / WSO2 API Manager3.2.0 – 3.2.0.384
WSO2 / WSO2 API Manager3.1.0 – 3.1.0.293
WSO2 / WSO2 API Manager3.0.0 – 3.0.0.162
WSO2 / WSO2 API Manager0 – 2.0.0
WSO2 / WSO2 API Manager2.0.0 – 2.0.0.28
WSO2 / WSO2 API Manager2.1.0 – 2.1.0.38
WSO2 / WSO2 API Manager2.2.0 – 2.2.0.57
WSO2 / WSO2 API Manager2.5.0 – 2.5.0.83
WSO2 / WSO2 Carbon Synapse Artifact Uploader BE4.7.216 – *
WSO2 / WSO2 Carbon Synapse Artifact Uploader BE4.6.1 – 4.6.1.4
WSO2 / WSO2 Carbon Synapse Artifact Uploader BE4.6.6 – 4.6.6.9
WSO2 / WSO2 Carbon Synapse Artifact Uploader BE4.6.10 – 4.6.10.4
WSO2 / WSO2 Carbon Synapse Artifact Uploader BE4.6.16 – 4.6.16.2
WSO2 / WSO2 Carbon Synapse Artifact Uploader BE4.6.19 – 4.6.19.10
WSO2 / WSO2 Carbon Synapse Artifact Uploader BE4.6.64 – 4.6.64.2
WSO2 / WSO2 Carbon Synapse Artifact Uploader BE4.6.67 – 4.6.67.15
WSO2 / WSO2 Carbon Synapse Artifact Uploader BE4.6.89 – 4.6.89.12
WSO2 / WSO2 Carbon Synapse Artifact Uploader BE4.6.105 – 4.6.105.59
WSO2 / WSO2 Carbon Synapse Artifact Uploader BE4.6.150 – 4.6.150.11
WSO2 / WSO2 Carbon Synapse Artifact Uploader BE4.7.20 – 4.7.20.5
WSO2 / WSO2 Carbon Synapse Artifact Uploader BE4.7.30 – 4.7.30.42
WSO2 / WSO2 Carbon Synapse Artifact Uploader BE4.7.35 – 4.7.35.5
WSO2 / WSO2 Carbon Synapse Artifact Uploader BE4.7.61 – 4.7.61.56
WSO2 / WSO2 Carbon Synapse Artifact Uploader BE4.7.99 – 4.7.99.299
WSO2 / WSO2 Carbon Synapse Artifact Uploader BE4.7.131 – 4.7.131.15
WSO2 / WSO2 Carbon Synapse Artifact Uploader BE4.7.175 – 4.7.175.18
WSO2 / WSO2 Carbon Synapse Artifact Uploader BE4.7.188 – 4.7.188.5
WSO2 / WSO2 Carbon Synapse Artifact Uploader BE4.7.204 – 4.7.204.5
WSO2 / WSO2 Carbon Synapse Artifact Uploader BE4.4.10 – 4.4.10.3
WSO2 / WSO2 Enterprise Integrator6.6.0 – 6.6.0.198
WSO2 / WSO2 Enterprise Integrator6.5.0 – 6.5.0.102
WSO2 / WSO2 Enterprise Integrator6.4.0 – 6.4.0.96
WSO2 / WSO2 Enterprise Integrator6.3.0 – 6.3.0.69
WSO2 / WSO2 Enterprise Integrator6.2.0 – 6.2.0.61
WSO2 / WSO2 Enterprise Integrator6.1.1 – 6.1.1.42
WSO2 / WSO2 Enterprise Integrator6.1.0 – 6.1.0.38
WSO2 / WSO2 Enterprise Integrator6.0.0 – 6.0.0.21
WSO2 / WSO2 Enterprise Integrator0 – 6.0.0
WSO2 / WSO2 Enterprise Mobility Manager2.2.0 – 2.2.0.27
WSO2 / WSO2 Enterprise Service Bus5.0.0 – 5.0.0.28
WSO2 / WSO2 Enterprise Service Bus4.9.0 – 4.9.0.10
WSO2 / WSO2 Micro integrator1.0.0 – 1.0.0.49
WSO2 / WSO2 Micro integrator0 – 1.0.0
WSO2 / WSO2 Open Banking AM1.3.0 – 1.3.0.132
WSO2 / WSO2 Open Banking AM1.5.0 – 1.5.0.137
WSO2 / WSO2 Open Banking AM2.0.0 – 2.0.0.342
WSO2 / WSO2 Open Banking AM1.4.0 – 1.4.0.135
WSO2 / WSO2 Open Banking AM0 – 1.3.0

References

VENDOR_ADVISORYhttps://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2024-3566/