{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2022-50992/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2022-50992"}],"_cs_exploited":true,"_cs_products":["E-cology 9.5"],"_cs_severities":["critical"],"_cs_tags":["cve-2022-50992","file-read","vulnerability","webserver"],"_cs_type":"threat","_cs_vendors":["Weaver (Fanwei)"],"content_html":"\u003cp\u003eWeaver (Fanwei) E-cology 9.5 versions prior to 10.52 are vulnerable to an arbitrary file read vulnerability (CVE-2022-50992) within the XmlRpcServlet interface. This vulnerability is located at the XML-RPC endpoint and allows unauthenticated remote attackers to read arbitrary files on the system. The attack leverages the \u003ccode\u003eWorkflowService.getAttachment\u003c/code\u003e and \u003ccode\u003eWorkflowService.LoadTemplateProp\u003c/code\u003e methods, which can be accessed without authentication, to supply file paths. Successful exploitation enables attackers to retrieve sensitive files, including system configuration files and database credentials, from the compromised server. Exploitation evidence was first observed by the Shadowserver Foundation on 2022-12-14 (UTC), highlighting active exploitation of this vulnerability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a Weaver E-cology 9.5 instance.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a crafted XML-RPC request to the XmlRpcServlet endpoint.\u003c/li\u003e\n\u003cli\u003eThe request invokes either the \u003ccode\u003eWorkflowService.getAttachment\u003c/code\u003e or \u003ccode\u003eWorkflowService.LoadTemplateProp\u003c/code\u003e method.\u003c/li\u003e\n\u003cli\u003eThe attacker includes a file path to a sensitive file (e.g., \u003ccode\u003e/etc/passwd\u003c/code\u003e, database configuration files) as a parameter in the XML-RPC request.\u003c/li\u003e\n\u003cli\u003eThe vulnerable method processes the request without proper authentication or authorization checks.\u003c/li\u003e\n\u003cli\u003eThe server reads the content of the specified file.\u003c/li\u003e\n\u003cli\u003eThe server returns the file content in the XML-RPC response.\u003c/li\u003e\n\u003cli\u003eThe attacker parses the response to extract the contents of the sensitive file, potentially gaining access to credentials or other sensitive information.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2022-50992 allows unauthenticated attackers to read arbitrary files on the Weaver E-cology server. This can lead to the disclosure of sensitive information, such as system configuration files, database credentials, and other confidential data. The CVSS v3.1 base score is 7.5, indicating a high severity vulnerability. This vulnerability can lead to full system compromise if database credentials are leaked.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Weaver E-cology instances to version 10.52 or later to remediate CVE-2022-50992.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Weaver E-cology File Read via XML-RPC\u003c/code\u003e to identify exploitation attempts targeting the vulnerable XML-RPC endpoint.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests to the XmlRpcServlet endpoint, specifically those containing \u003ccode\u003eWorkflowService.getAttachment\u003c/code\u003e or \u003ccode\u003eWorkflowService.LoadTemplateProp\u003c/code\u003e, using the provided Sigma rule.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the blast radius of a potential compromise and restrict access to sensitive internal resources.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-weaver-file-read/","summary":"Unauthenticated remote attackers can exploit an arbitrary file read vulnerability (CVE-2022-50992) in Weaver E-cology 9.5 versions prior to 10.52 via the XML-RPC endpoint to access sensitive files.","title":"Weaver E-cology Arbitrary File Read Vulnerability (CVE-2022-50992)","url":"https://feed.craftedsignal.io/briefs/2024-01-weaver-file-read/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2022-50992","version":"https://jsonfeed.org/version/1.1"}