Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-36537: [ZK-5150] Vulnerability in zk upload

ZK Framework v9.6.1, 9.6.0.1, 9.5.1.3, 9.0.1.2 and 8.6.4.1 allows attackers to access sensitive information via a crafted POST request sent to the component AuUploader.

CVE
#vulnerability#web

Secure versions

This vulnerability is resolved in versions:

  • 9.6.2
  • 9.6.0.2 (security release)
  • 9.5.1.4 (security release)
  • 9.0.1.3 (security release)
  • 8.6.4.2 (security release)

Workaround

download attached classes, and add them to application in their declared package.

register in zk.xml

<listener>
    <listener-class>org.zkoss.support.patch.AuUploadWebAppInit</listener-class>
</listener>

<system-config>
    <file-item-factory-class>org.zkoss.support.patch.UploadFixItemFactory</file-item-factory-class>
</system-config>

Vulnerability details

Thanks to Markus Wulftange of Code White GmbH for discovering and reporting this issue, as well as cooperating with us in its resolution.

ZK AuUploader servlets contains a security vulnerability which can be exploited to retrieve the content of a file located in the web context. This includes files normally hidden from the user located in WEB-INF, such as web.xml, zk.xml, etc.

In the unsecure versions, an attacker may send a forged request to the /zkau/upload endpoint.
If the forged request contains the nextURI parameter, the AuUploader will try to forward the request internally, and output the document found if any into the response.

Since this is an internal forward, it can access documents located in restricted WEB-INF folder, which exposes internal files such as web.xml, zk.xml and other files located in this directory.

This vulnerability affects ZK versions below the secure version list provided above.

The secure list contains security releases for ZK branches from 8.6.X up to 9.6.0.X, and the main release 9.6.2

Related news

Threat Source newsletter (March 2, 2023) — Little victories in the fight against ransomware

Serious sanctions and legal consequences may be slowing ransomware groups down, but it's still unclear if this is a permanent shift.

CISA: ZK Java Framework RCE Flaw Under Active Exploit

The flaw, which drew attention in October when it was found in ConnectWise products, could pose a significant risk to the supply chain if not patched immediately.

CISA Issues Warning on Active Exploitation of ZK Java Web Framework Vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a high-severity flaw affecting the ZK Framework to its Known Exploited Vulnerabilities (KEV) catalog based on evidence of active exploitation. Tracked as CVE-2022-36537 (CVSS score: 7.5), the issue impacts ZK Framework versions 9.6.1, 9.6.0.1, 9.5.1.3, 9.0.1.2, and 8.6.4.1, and allows threat actors to retrieve sensitive

Critical RCE Vulnerability Reported in ConnectWise Server Backup Solution

IT service management software platform ConnectWise has released Software patches for a critical security vulnerability in Recover and R1Soft Server Backup Manager (SBM). The issue, characterized as a "neutralization of Special Elements in Output Used by a Downstream Component," could be abused to result in the execution of remote code or disclosure of sensitive information. ConnectWise's

Patch Now: Dangerous RCE Bug Lays Open ConnectWise Server Backup Managers

A critical security vulnerability gives attackers a way to compromise thousands of systems at ConnectWise's managed service provider (MSP) customer locations and their downstream clients.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907