CVE-2024-7074

EPSS 9.76%
Veröffentlicht 02.06.2025 16:42:19
Zuletzt bearbeitet 15.04.2026 00:35:42
Quelle ed10eef1-636d-4fbe-9993-6890df
CVE-Watchlists
Login
Unerledigt
Login

Authenticated Arbitrary File Upload in Multiple WSO2 Products via SOAP Admin Service Leading to Remote Code Execution

An arbitrary file upload vulnerability exists in multiple WSO2 products due to improper validation of user input in SOAP admin services. A malicious actor with administrative privileges can upload an arbitrary file to a user-controlled location on the server.

By leveraging this vulnerability, an attacker could upload a specially crafted payload, potentially achieving remote code execution (RCE) on the server. Exploitation requires valid admin credentials, limiting its impact to authorized but potentially malicious users.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 4

CNA 7 VulnDex Vulnerability Enrichment 5

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

HerstellerWSO2

≫

Produkt WSO2 Enterprise Integrator

Default Statusunaffected

Version 0

Version < 6.0.0

Status unknown

Version 6.0.0

Version < 6.0.0.21

Status affected

Version 6.1.0

Version < 6.1.0.38

Status affected

Version 6.1.1

Version < 6.1.1.42

Status affected

Version 6.2.0

Version < 6.2.0.61

Status affected

Version 6.3.0

Version < 6.3.0.69

Status affected

Version 6.4.0

Version < 6.4.0.96

Status affected

Version 6.5.0

Version < 6.5.0.102

Status affected

Version 6.6.0

Version < 6.6.0.198

Status affected

HerstellerWSO2

≫

Produkt WSO2 API Manager

Default Statusunaffected

Version 0

Version < 2.0.0

Status unknown

Version 2.0.0

Version < 2.0.0.28

Status affected

Version 2.1.0

Version < 2.1.0.38

Status affected

Version 2.2.0

Version < 2.2.0.57

Status affected

Version 2.5.0

Version < 2.5.0.83

Status affected

Version 2.6.0

Version < 2.6.0.143

Status affected

Version 3.0.0

Version < 3.0.0.162

Status affected

Version 3.1.0

Version < 3.1.0.293

Status affected

Version 3.2.0

Version < 3.2.0.384

Status affected

Version 3.2.1

Version < 3.2.1.16

Status affected

Version 4.0.0

Version < 4.0.0.305

Status affected

Version 4.1.0

Version < 4.1.0.166

Status affected

Version 4.2.0

Version < 4.2.0.100

Status affected

Version 4.3.0

Version < 4.3.0.16

Status affected

HerstellerWSO2

≫

Produkt WSO2 Enterprise Service Bus

Default Statusunknown

Version 4.9.0

Version < 4.9.0.10

Status affected

Version 5.0.0

Version < 5.0.0.28

Status affected

HerstellerWSO2

≫

Produkt WSO2 Enterprise Mobility Manager

Default Statusunknown

Version 2.2.0

Version < 2.2.0.27

Status affected

HerstellerWSO2

≫

Produkt WSO2 Micro Integrator

Default Statusunaffected

Version 0

Version < 1.0.0

Status unknown

Version 1.0.0

Version < 1.0.0.49

Status affected

HerstellerWSO2

≫

Produkt WSO2 Open Banking AM

Default Statusunaffected

Version 0

Version < 1.3.0

Status unknown

Version 1.3.0

Version < 1.3.0.132

Status affected

Version 1.4.0

Version < 1.4.0.135

Status affected

Version 1.5.0

Version < 1.5.0.137

Status affected

Version 2.0.0

Version < 2.0.0.342

Status affected

HerstellerWSO2

≫

Produkt WSO2 Carbon Synapse Artifact Uploader BE

Default Statusunknown

Version 4.4.10

Version < 4.4.10.3

Status affected

Version 4.6.1

Version < 4.6.1.4

Status affected

Version 4.6.6

Version < 4.6.6.9

Status affected

Version 4.6.10

Version < 4.6.10.4

Status affected

Version 4.6.16

Version < 4.6.16.2

Status affected

Version 4.6.19

Version < 4.6.19.10

Status affected

Version 4.6.64

Version < 4.6.64.2

Status affected

Version 4.6.67

Version < 4.6.67.15

Status affected

Version 4.6.89

Version < 4.6.89.12

Status affected

Version 4.6.105

Version < 4.6.105.59

Status affected

Version 4.6.150

Version < 4.6.150.11

Status affected

Version 4.7.20

Version < 4.7.20.5

Status affected

Version 4.7.30

Version < 4.7.30.42

Status affected

Version 4.7.35

Version < 4.7.35.5

Status affected

Version 4.7.61

Version < 4.7.61.56

Status affected

Version 4.7.99

Version < 4.7.99.299

Status affected

Version 4.7.131

Version < 4.7.131.15

Status affected

Version 4.7.175

Version < 4.7.175.18

Status affected

Version 4.7.188

Version < 4.7.188.5

Status affected

Version 4.7.204

Version < 4.7.204.5

Status affected

Version <= *

Version 4.7.216

Status unaffected

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	9.76%	0.949

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
ed10eef1-636d-4fbe-9993-6890dfa878f8	6.8	0.9	5.9	CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE-434 Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2024-3566/

https://nvd.nist.gov/vuln/detail/CVE-2024-7074

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-7074

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-7074

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2024-7074