Login Sign Up

CVE-2022-2111

8.8 HIGH
Remote Code Execution

📋 TL;DR

CVE-2022-2111 is an unrestricted file upload vulnerability in InvenTree inventory management software that allows attackers to upload malicious files to the server. This affects all users running InvenTree versions prior to 0.7.2. Successful exploitation could lead to remote code execution or server compromise.

💻 Affected Systems

Products:
  • InvenTree
Versions: All versions prior to 0.7.2
Operating Systems: All platforms running InvenTree
Default Config Vulnerable: ⚠️ Yes
Notes: Affects all deployments of InvenTree with file upload functionality enabled.

📦 What is this software?

Inventree by Inventree Project

View all CVEs affecting Inventree →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, and lateral movement within the network.

🟠

Likely Case

Server compromise allowing file system access, data exfiltration, and potential privilege escalation.

🟢

If Mitigated

File uploads blocked or properly validated, limiting impact to denial of service if malicious files are uploaded.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated access but is straightforward once authenticated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.7.2 and later

Vendor Advisory: https://github.com/inventree/inventree/commit/26bf51c20a1c9b3130ac5dd2e17649bece5ff84f

Restart Required: Yes

Instructions:

1. Backup your InvenTree database and configuration. 2. Update to InvenTree version 0.7.2 or later using pip: 'pip install --upgrade inventree'. 3. Restart the InvenTree service. 4. Verify the update was successful.

🔧 Temporary Workarounds

Disable file upload functionality

all

Temporarily disable file upload features in InvenTree configuration

Edit InvenTree configuration to remove or restrict file upload endpoints

Implement web application firewall rules

all

Block malicious file uploads at the network perimeter

Configure WAF to block file uploads with dangerous extensions (.php, .exe, .sh, etc.)

🧯 If You Can't Patch

  • Implement strict file type validation at the application level
  • Run InvenTree in a containerized environment with minimal privileges

🔍 How to Verify

Check if Vulnerable:

Check InvenTree version: if version is less than 0.7.2, system is vulnerable.

Check Version:

python -c "import inventree; print(inventree.__version__)"

Verify Fix Applied:

Verify version is 0.7.2 or higher and test file upload functionality with restricted file types.

📡 Detection & Monitoring

Log Indicators:

  • Unusual file uploads, especially with executable extensions
  • Failed file validation attempts
  • Unexpected process execution

Network Indicators:

  • HTTP POST requests to upload endpoints with suspicious file types
  • Unusual outbound connections from InvenTree server

SIEM Query:

source="inventree" AND (url="*upload*" OR method="POST") AND (file_extension="php" OR file_extension="exe" OR file_extension="sh")

📊 Metadata

CVE ID: CVE-2022-2111
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-434
Published: June 17, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-2111, you might also want to check these:

CVE-2024-52490 10.0

This vulnerability allows attackers to upload arbitrary files, including web shells, to Pathomation ...

Same vulnerability type (CWE-434)
CVE-2024-43160 10.0

CVE-2024-43160 is an unauthenticated arbitrary file upload vulnerability in the BerqWP WordPress plu...

Same vulnerability type (CWE-434)
CVE-2024-8940 10.0

CVE-2024-8940 is a critical unrestricted file upload vulnerability in Scriptcase version 9.4.019 tha...

Same vulnerability type (CWE-434)