CVE-2022-41217 - Vulnerability Details - OpenCVE

Cloudflow contains a unauthenticated file upload vulnerability, which makes it possible for an attacker to upload malicious files to the CLOUDFLOW PROOFSCOPE built-in storage.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable yes

Technical Impact total

Vendors	Products
Hybridsoftware	Cloudflow

Configuration 1 [-]

cpe:2.3:a:hybridsoftware:cloudflow:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://csirt.divd.nl/CVE-2022-41217
https://csirt.divd.nl/DIVD-2022-00052

History

Tue, 11 Mar 2025 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Wed, 16 Oct 2024 12:00:00 +0000

Type	Values Removed	Values Added
Metrics	cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`	cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}`

MITRE

Status: PUBLISHED

Assigner: DIVD

Published: 2023-02-22T14:42:25.592Z

Updated: 2025-04-01T04:48:09.968Z

Reserved: 2022-09-21T03:53:53.699Z

Link: CVE-2022-41217

Vulnrichment

Updated: 2024-08-03T12:35:49.606Z

NVD

Status : Modified

Published: 2023-02-22T15:15:11.540

Modified: 2024-11-21T07:22:51.097

Link: CVE-2022-41217

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-41217", "assignerOrgId": "b87402ff-ae37-4194-9dae-31abdbd6f217", "state": "PUBLISHED", "assignerShortName": "DIVD", "dateReserved": "2022-09-21T03:53:53.699Z", "datePublished": "2023-02-22T14:42:25.592Z", "dateUpdated": "2025-04-01T04:48:09.968Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "platforms": ["Windows", "MacOS", "Linux"], "product": "Cloudflow", "vendor": "Hybrid Software", "versions": [{"lessThanOrEqual": "2.3.1", "status": "affected", "version": "< 2.3.1", "versionType": "2.x.y"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Discovered by Witold Gorecki"}, {"lang": "en", "type": "analyst", "user": "00000000-0000-4000-9000-000000000000", "value": "Victor Pasman (DIVD)"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Cloudflow contains a unauthenticated file upload vulnerability, which makes it possible for an attacker to upload malicious files to the CLOUDFLOW PROOFSCOPE built-in storage."}], "value": "Cloudflow contains a unauthenticated file upload vulnerability, which makes it possible for an attacker to upload malicious files to the CLOUDFLOW PROOFSCOPE built-in storage."}], "impacts": [{"capecId": "CAPEC-650", "descriptions": [{"lang": "en", "value": "CAPEC-650 Upload a Web Shell to a Web Server"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-434", "description": "CWE-434: Unrestricted Upload of File with Dangerous Type", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "b87402ff-ae37-4194-9dae-31abdbd6f217", "shortName": "DIVD", "dateUpdated": "2025-04-01T04:48:09.968Z"}, "references": [{"tags": ["third-party-advisory"], "url": "https://csirt.divd.nl/CVE-2022-41217"}, {"tags": ["related"], "url": "https://csirt.divd.nl/DIVD-2022-00052"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Upgrade to version 2.3.2 of Cloudflow"}], "value": "Upgrade to version 2.3.2 of Cloudflow"}], "source": {"discovery": "EXTERNAL"}, "title": "Cloudflow - Unauthenticated file upload vulnerability", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T12:35:49.606Z"}, "title": "CVE Program Container", "references": [{"url": "https://csirt.divd.nl/CVE-2022-41217", "tags": ["third-party-advisory", "x_transferred"]}, {"url": "https://csirt.divd.nl/DIVD-2022-00052", "tags": ["related", "x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-03-11T18:42:58.696826Z", "id": "CVE-2022-41217", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-11T18:46:25.273Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://csirt.divd.nl/CVE-2022-41217", "tags": ["third-party-advisory", "x_transferred"]}, {"url": "https://csirt.divd.nl/DIVD-2022-00052", "tags": ["related", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T12:35:49.606Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-41217", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-03-11T18:42:58.696826Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-11T18:43:09.802Z"}}], "cna": {"title": "Cloudflow - Unauthenticated file upload vulnerability", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Discovered by Witold Gorecki"}, {"lang": "en", "type": "analyst", "user": "00000000-0000-4000-9000-000000000000", "value": "Victor Pasman (DIVD)"}], "impacts": [{"capecId": "CAPEC-650", "descriptions": [{"lang": "en", "value": "CAPEC-650 Upload a Web Shell to a Web Server"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Hybrid Software", "product": "Cloudflow", "versions": [{"status": "affected", "version": "< 2.3.1", "versionType": "2.x.y", "lessThanOrEqual": "2.3.1"}], "platforms": ["Windows", "MacOS", "Linux"], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Upgrade to version 2.3.2 of Cloudflow", "supportingMedia": [{"type": "text/html", "value": "Upgrade to version 2.3.2 of Cloudflow", "base64": false}]}], "references": [{"url": "https://csirt.divd.nl/CVE-2022-41217", "tags": ["third-party-advisory"]}, {"url": "https://csirt.divd.nl/DIVD-2022-00052", "tags": ["related"]}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "Cloudflow contains a unauthenticated file upload vulnerability, which makes it possible for an attacker to upload malicious files to the CLOUDFLOW PROOFSCOPE built-in storage.", "supportingMedia": [{"type": "text/html", "value": "Cloudflow contains a unauthenticated file upload vulnerability, which makes it possible for an attacker to upload malicious files to the CLOUDFLOW PROOFSCOPE built-in storage.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-434", "description": "CWE-434: Unrestricted Upload of File with Dangerous Type"}]}], "providerMetadata": {"orgId": "b87402ff-ae37-4194-9dae-31abdbd6f217", "shortName": "DIVD", "dateUpdated": "2025-04-01T04:48:09.968Z"}}}, "cveMetadata": {"cveId": "CVE-2022-41217", "state": "PUBLISHED", "dateUpdated": "2025-04-01T04:48:09.968Z", "dateReserved": "2022-09-21T03:53:53.699Z", "assignerOrgId": "b87402ff-ae37-4194-9dae-31abdbd6f217", "datePublished": "2023-02-22T14:42:25.592Z", "assignerShortName": "DIVD"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:hybridsoftware:cloudflow:*:*:*:*:*:*:*:*", "matchCriteriaId": "4844EF24-6B3C-4086-93C8-374E42B9F846", "versionEndExcluding": "2.3.2", "versionStartIncluding": "2.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Cloudflow contains a unauthenticated file upload vulnerability, which makes it possible for an attacker to upload malicious files to the CLOUDFLOW PROOFSCOPE built-in storage."}], "id": "CVE-2022-41217", "lastModified": "2024-11-21T07:22:51.097", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "csirt@divd.nl", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-02-22T15:15:11.540", "references": [{"source": "csirt@divd.nl", "tags": ["Third Party Advisory"], "url": "https://csirt.divd.nl/CVE-2022-41217"}, {"source": "csirt@divd.nl", "url": "https://csirt.divd.nl/DIVD-2022-00052"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://csirt.divd.nl/CVE-2022-41217"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://csirt.divd.nl/DIVD-2022-00052"}], "sourceIdentifier": "csirt@divd.nl", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-434"}], "source": "csirt@divd.nl", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-434"}], "source": "nvd@nist.gov", "type": "Primary"}]}