CVE-2022-29622: Malicious File Upload
First published: Mon May 16 2022(Updated: )
An arbitrary file upload vulnerability in formidable v3.1.4 allows attackers to execute arbitrary code via a crafted filename. NOTE: some third parties dispute this issue because the product has common use cases in which uploading arbitrary files is the desired behavior. Also, there are configuration options in all versions that can change the default behavior of how files are handled.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| npm/formidable | <3.2.4 | 3.2.4 |
| IBM Cognos Analytics | <=12.0.0-12.0.3 | |
| IBM Cognos Analytics | <=11.2.0-11.2.4 FP3 | |
| Formidable Forms | =3.1.4 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/node-formidable/formidable/issues/856
- https://github.com/node-formidable/formidable/issues/862
- https://medium.com/@zsolt.imre/is-cybersecurity-the-next-supply-chain-vulnerability-9a00de745022
- https://www.youtube.com/watch?v=C6QPKooxhAo
- https://github.com/strapi/strapi/issues/20189
- https://medium.com/%40zsolt.imre/is-cybersecurity-the-next-supply-chain-vulnerability-9a00de745022
- https://nvd.nist.gov/vuln/detail/CVE-2022-29622
- https://github.com/node-formidable/formidable/pull/857
- https://gitlab.com/keymandll/blog/-/blob/master/posts/03062022-Invulnerability_Analysis-CVE-2022%E2%80%9329622/index.md
- https://portswigger.net/daily-swig/researcher-defends-formidable-in-fight-against-critical-cve-vulnerability-assignment
- https://github.com/advisories/GHSA-8cp3-66vr-3r4c (Advisory)
- https://www.ibm.com/support/pages/node/7173592 (Advisory)
Frequently Asked Questions
What is the severity of CVE-2022-29622?
CVE-2022-29622 is classified as a moderate severity vulnerability due to its potential for arbitrary code execution.
How do I fix CVE-2022-29622?
To fix CVE-2022-29622, update the formidable package to version 3.2.4 or later.
Which versions of formidable are affected by CVE-2022-29622?
CVE-2022-29622 affects formidable version 3.1.4 and potentially earlier versions.
What kind of attack is facilitated by CVE-2022-29622?
CVE-2022-29622 allows attackers to execute arbitrary code through crafted filenames uploaded via the vulnerable application.
Are there any applications besides formidable that are affected by CVE-2022-29622?
Yes, IBM Cognos Analytics versions 11.2.0 to 11.2.4 FP3 and 12.0.0 to 12.0.3 are also affected by CVE-2022-29622.
- agent/type
- agent/severity
- agent/weakness
- agent/author
- agent/first-publish-date
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-8cp3-66vr-3r4c
- alias/CVE-2022-29622
- agent/software-canonical-lookup
- collector/github-advisory
- agent/event
- collector/mitre-cve
- source/MITRE
- collector/ibm-support
- source/IBM
- agent/last-modified-date
- agent/references
- agent/description
- agent/trending
- agent/source
- agent/tags
- agent/softwarecombine
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-index
- collector/nvd-api
- package-manager/npm
- vendor/ibm
- canonical/ibm cognos analytics
- version/ibm cognos analytics/12.0.0-12.0.3
- version/ibm cognos analytics/11.2.0-11.2.4 fp3
- vendor/formidable project
- canonical/formidable forms
- version/formidable forms/3.1.4