CVE-2022-41217

Cloudflow - Unauthenticated file upload vulnerability

CVE

CVE-2022-41217

Title

Cloudflow - Unauthenticated file upload vulnerability

Credits

Discovered by Witold Gorecki (finder)
Victor Pasman (DIVD) (analyst)

Affected products

Product	Affected	Unaffected	Unknown
Hybrid Software Cloudflow on Windows, MacOS, Linux	>= < 2.3.1 to < 2.3.1 (2.x.y)
Hybrid Software Cloudflow on Windows, MacOS, Linux		everything else

CVSS

Base score: 8.8 (HIGH)

References

https://csirt.divd.nl/CVE-2022-41217 ( third-party-advisory )
https://csirt.divd.nl/DIVD-2022-00052 ( related )

Problem type(s)

CWE-434: Unrestricted Upload of File with Dangerous Type

Impact(s)

CAPEC-650 Upload a Web Shell to a Web Server

Date published

Last modified

11 Jun 2023 13:17 UTC

Description

Cloudflow contains a unauthenticated file upload vulnerability, which makes it possible for an attacker to upload malicious files to the CLOUDFLOW PROOFSCOPE built-in storage.

Solution(s)

Upgrade to version 2.3.2 of Cloudflow

JSON version.

DIVD CSIRT

CVE-2022-41217

Cloudflow - Unauthenticated file upload vulnerability

Description

Solution(s)