CVE-2022-25267
📋 TL;DR
CVE-2022-25267 is a directory traversal vulnerability in Passwork On-Premise Edition that allows attackers to upload arbitrary files to any directory on the server via the migration/uploadExportFile endpoint. This affects organizations running vulnerable versions of Passwork On-Premise Edition, potentially leading to remote code execution or data compromise.
💻 Affected Systems
- Passwork On-Premise Edition
📦 What is this software?
Passwork by Passwork
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise, data exfiltration, or ransomware deployment.
Likely Case
Unauthorized file upload leading to web shell installation, data manipulation, or privilege escalation.
If Mitigated
Limited impact if proper network segmentation and file upload validation are implemented.
🎯 Exploit Status
Exploitation requires authentication but is straightforward once access is obtained. Public proof-of-concept demonstrates the vulnerability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.6.13 and later
Vendor Advisory: https://passwork.me
Restart Required: Yes
Instructions:
1. Backup your Passwork database and configuration. 2. Download version 4.6.13 or later from the official Passwork website. 3. Follow the Passwork upgrade documentation for your specific deployment method (Docker, manual, etc.). 4. Restart the Passwork service after upgrade.
🔧 Temporary Workarounds
Restrict access to vulnerable endpoint
allBlock or restrict access to the /migration/uploadExportFile endpoint using web application firewall or reverse proxy rules.
# Example nginx location block
location /migration/uploadExportFile { deny all; }
# Example Apache .htaccess
<Location "/migration/uploadExportFile">
Order deny,allow
Deny from all
</Location>
Implement file upload validation
allAdd server-side validation to restrict file uploads to specific directories and validate file types.
# Requires application code modification - consult Passwork documentation
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Passwork servers from critical infrastructure.
- Enable detailed logging and monitoring for file upload activities and implement alerting for suspicious patterns.
🔍 How to Verify
Check if Vulnerable:
Check the Passwork version in the web interface admin panel or via the API. Versions before 4.6.13 are vulnerable.Check Version:
curl -k https://your-passwork-server/api/about | grep versionVerify Fix Applied:
Verify the version is 4.6.13 or later and test that the /migration/uploadExportFile endpoint properly validates file paths.📡 Detection & Monitoring
Log Indicators:
- Unusual file upload activities to /migration/uploadExportFile
- Attempts to access directories outside expected upload paths
- Multiple failed upload attempts followed by successful upload
Network Indicators:
- POST requests to /migration/uploadExportFile with path traversal sequences (../)
- Unusual outbound connections from Passwork server after file upload
SIEM Query:
source="passwork.logs" AND (uri_path="/migration/uploadExportFile" AND (message="../" OR message="..\\"))