CVE-2024-7074

EPSS 0.1%
Published 02.06.2025 16:42:19
Last modified 02.06.2025 17:32:17
Source ed10eef1-636d-4fbe-9993-6890df
Teams watchlist Login
Open Login

An arbitrary file upload vulnerability exists in multiple WSO2 products due to improper validation of user input in SOAP admin services. A malicious actor with administrative privileges can upload an arbitrary file to a user-controlled location on the server.

By leveraging this vulnerability, an attacker could upload a specially crafted payload, potentially achieving remote code execution (RCE) on the server. Exploitation requires valid admin credentials, limiting its impact to authorized but potentially malicious users.

Affected products Warnungen 0 Metrics 2 CWE 1 References 4

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

This information is available to logged-in users.

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

VendorWSO2

≫

Product WSO2 Enterprise Integrator

Default Statusunaffected

Version < 6.0.0

Version 0

Status unknown

Version < 6.0.0.21

Version 6.0.0

Status affected

Version < 6.1.0.38

Version 6.1.0

Status affected

Version < 6.1.1.42

Version 6.1.1

Status affected

Version < 6.2.0.61

Version 6.2.0

Status affected

Version < 6.3.0.69

Version 6.3.0

Status affected

Version < 6.4.0.96

Version 6.4.0

Status affected

Version < 6.5.0.102

Version 6.5.0

Status affected

Version < 6.6.0.198

Version 6.6.0

Status affected

VendorWSO2

≫

Product WSO2 API Manager

Default Statusunaffected

Version < 2.0.0

Version 0

Status unknown

Version < 2.0.0.28

Version 2.0.0

Status affected

Version < 2.1.0.38

Version 2.1.0

Status affected

Version < 2.2.0.57

Version 2.2.0

Status affected

Version < 2.5.0.83

Version 2.5.0

Status affected

Version < 2.6.0.143

Version 2.6.0

Status affected

Version < 3.0.0.162

Version 3.0.0

Status affected

Version < 3.1.0.293

Version 3.1.0

Status affected

Version < 3.2.0.384

Version 3.2.0

Status affected

Version < 3.2.1.16

Version 3.2.1

Status affected

Version < 4.0.0.305

Version 4.0.0

Status affected

Version < 4.1.0.166

Version 4.1.0

Status affected

Version < 4.2.0.100

Version 4.2.0

Status affected

Version < 4.3.0.16

Version 4.3.0

Status affected

VendorWSO2

≫

Product WSO2 Enterprise Service Bus

Default Statusunknown

Version < 4.9.0.10

Version 4.9.0

Status affected

Version < 5.0.0.28

Version 5.0.0

Status affected

VendorWSO2

≫

Product WSO2 Enterprise Mobility Manager

Default Statusunknown

Version < 2.2.0.27

Version 2.2.0

Status affected

VendorWSO2

≫

Product WSO2 Micro Integrator

Default Statusunaffected

Version < 1.0.0

Version 0

Status unknown

Version < 1.0.0.49

Version 1.0.0

Status affected

VendorWSO2

≫

Product WSO2 Open Banking AM

Default Statusunaffected

Version < 1.3.0

Version 0

Status unknown

Version < 1.3.0.132

Version 1.3.0

Status affected

Version < 1.4.0.135

Version 1.4.0

Status affected

Version < 1.5.0.137

Version 1.5.0

Status affected

Version < 2.0.0.342

Version 2.0.0

Status affected

VendorWSO2

≫

Product WSO2 Carbon Synapse Artifact Uploader BE

Default Statusunknown

Version < 4.4.10.3

Version 4.4.10

Status affected

Version < 4.6.1.4

Version 4.6.1

Status affected

Version < 4.6.6.9

Version 4.6.6

Status affected

Version < 4.6.10.4

Version 4.6.10

Status affected

Version < 4.6.16.2

Version 4.6.16

Status affected

Version < 4.6.19.10

Version 4.6.19

Status affected

Version < 4.6.64.2

Version 4.6.64

Status affected

Version < 4.6.67.15

Version 4.6.67

Status affected

Version < 4.6.89.12

Version 4.6.89

Status affected

Version < 4.6.105.59

Version 4.6.105

Status affected

Version < 4.6.150.11

Version 4.6.150

Status affected

Version < 4.7.20.5

Version 4.7.20

Status affected

Version < 4.7.30.42

Version 4.7.30

Status affected

Version < 4.7.35.5

Version 4.7.35

Status affected

Version < 4.7.61.56

Version 4.7.61

Status affected

Version < 4.7.99.299

Version 4.7.99

Status affected

Version < 4.7.131.15

Version 4.7.131

Status affected

Version < 4.7.175.18

Version 4.7.175

Status affected

Version < 4.7.188.5

Version 4.7.188

Status affected

Version < 4.7.204.5

Version 4.7.204

Status affected

Version <= *

Version 4.7.216

Status unaffected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.1%	0.279

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
ed10eef1-636d-4fbe-9993-6890dfa878f8	6.8	0.9	5.9	CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE-434 Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2024-3566/

https://nvd.nist.gov/vuln/detail/CVE-2024-7074

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-7074

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-7074

EUVD