CISA KEV 정보
| 취약점명 | ZK Framework AuUploader Unspecified Vulnerability |
|---|---|
| 설명 | ZK Framework AuUploader servlets contain an unspecified vulnerability that could allow an attacker to retrieve the content of a file located in the web context. The ZK Framework is an open-source Java framework. This vulnerability can impact multiple products, including but not limited to ConnectWise R1Soft Server Backup Manager. |
| 조치사항 | Apply updates per vendor instructions. |
| 랜섬웨어 캠페인 악용 | Known |
| CWE | CWE-441 |
| 등록일 (KEV) | 2023-02-27 |
| 조치 기한 | 2023-03-20 |
| 추가 참고 | https://tracker.zkoss.org/browse/ZK-5150; https://nvd.nist.gov/vuln/detail/CVE-2022-36537 |
NVD 상세 정보
CVSS v3.1: 7.5 HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N설명: ZK Framework v9.6.1, 9.6.0.1, 9.5.1.3, 9.0.1.2 and 8.6.4.1 allows attackers to access sensitive information via a crafted POST request sent to the component AuUploader.
참조
- https://tracker.zkoss.org/browse/ZK-5150 [Issue Tracking, Patch, Vendor Advisory]
- https://www.bleepingcomputer.com/news/security/cisa-warns-of-hackers-exploiting-zk-java-framework-rce-flaw/ [Third Party Advisory]
- https://tracker.zkoss.org/browse/ZK-5150 [Issue Tracking, Patch, Vendor Advisory]
- https://www.bleepingcomputer.com/news/security/cisa-warns-of-hackers-exploiting-zk-java-framework-rce-flaw/ [Third Party Advisory]
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-36537 [US Government Resource]
This product uses the NVD API but is not endorsed or certified by the NVD.