Cloud Vulnerability DB
A community-led vulnerabilities database
Vulnerability DatabaseCVE-2022-36537
CVE-2022-36537:
Java vulnerability analysis and mitigation
Overview
CVE-2022-36537 is a vulnerability in ZK Framework, an open-source Java framework used for creating enterprise web and mobile applications. The vulnerability was discovered by Markus Wulftange of Code White GmbH and was disclosed in May 2022. It affects multiple versions of ZK Framework including v9.6.1, 9.6.0.1, 9.5.1.3, 9.0.1.2, and 8.6.4.1. The vulnerability exists in the AuUploader component, which allows attackers to access sensitive information via crafted POST requests (ZK Issue).
Technical details
The vulnerability stems from a security flaw in ZK Framework's AuUploader servlets that can be exploited to retrieve content of files located in the web context. An attacker can send a forged request to the /zkau/upload endpoint containing a nextURI parameter, which causes the AuUploader to forward the request internally and output restricted documents. This allows access to files normally hidden from users in WEB-INF, such as web.xml and zk.xml. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (High) (NVD).
Impact
While initially categorized as an information disclosure vulnerability, the impact has proven to be more severe, particularly in products like ConnectWise R1Soft Server Backup Manager. Attackers can exploit this vulnerability to achieve remote code execution, gain initial access to systems, and deploy malicious database drivers that function as backdoors. Once compromised, attackers can execute commands on all systems running the agent connected to the R1Soft server (Rapid7 Blog).
Mitigation and workarounds
Fixed versions of ZK Framework have been released: 9.6.2, 9.6.0.2 (security release), 9.5.1.4 (security release), 9.0.1.3 (security release), and 8.6.4.2 (security release). For ConnectWise products, users should upgrade R1Soft Server Backup Manager to version 6.16.4 released on October 28, 2022. ConnectWise Recover users should update to version 2.9.9. For older versions of ZK Framework, workarounds are available through patch files that can be added to applications (ZK Issue).
Community reactions
CISA added CVE-2022-36537 to its Known Exploited Vulnerabilities (KEV) catalog on February 27, 2023, warning that 'This type of vulnerability is a frequent attack vector for malicious cyber actors and poses a significant risk to the federal enterprise.' Federal agencies were given until March 20, 2023, to apply security updates (Bleeping Computer).
Additional resources
Source: This report was generated using AI
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Additional Wiz resources
Get a personalized demo
Ready to see Wiz in action?
"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management