{"id":"CVE-2022-44635","details":"Apache Fineract allowed an authenticated user to perform remote code execution due to a path traversal vulnerability in a file upload component of Apache Fineract, allowing an attacker to run remote code. This issue affects Apache Fineract version 1.8.0 and prior versions. We recommend users to upgrade to 1.8.1.","modified":"2026-04-12T04:17:49.796820Z","published":"2022-11-29T15:15:10.897Z","references":[{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2022/11/29/3"},{"type":"ADVISORY","url":"https://lists.apache.org/thread/t8q6fmh3o6yqmy69qtqxppk9yg9wfybg"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apache/fineract","events":[{"introduced":"0"},{"fixed":"90f854b68886458a466b048807c26ccf31a6f555"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"fixed":"1.8.1"}],"cpe":"cpe:2.3:a:apache:fineract:*:*:*:*:*:*:*:*","source":"CPE_FIELD"}}],"versions":["1.0.0","1.1.0","1.2.0","1.3.0","1.5.0","1.8.0"],"database_specific":{"vanir_signatures_modified":"2026-04-12T04:17:49Z","vanir_signatures":[{"digest":{"line_hashes":["236509758749748342454817270594780397597","268218976097468295366479396221596327693","51500460393827293229909378399150538056","221715015619316312491849204525725912023","28453236996130509214530901712868890277","128062032775926429836141200544693008808","49417809668175005423162743296062370115","48460477554060031071705227188834251325","167941230634331765185494302301650989237","142619218965884876281607326391434643336","75893241929449185810075917976272121130"],"threshold":0.9},"signature_type":"Line","deprecated":false,"target":{"file":"integration-tests/src/test/java/org/apache/fineract/integrationtests/client/ImageTest.java"},"signature_version":"v1","id":"CVE-2022-44635-00901b44","source":"https://github.com/apache/fineract/commit/90f854b68886458a466b048807c26ccf31a6f555"},{"digest":{"length":204,"function_hash":"191835977652114232112221867064825047645"},"signature_type":"Function","deprecated":false,"target":{"function":"fetchImage","file":"fineract-provider/src/main/java/org/apache/fineract/infrastructure/documentmanagement/contentrepository/FileSystemContentRepository.java"},"signature_version":"v1","id":"CVE-2022-44635-34a6a47b","source":"https://github.com/apache/fineract/commit/90f854b68886458a466b048807c26ccf31a6f555"},{"digest":{"length":209,"function_hash":"337878926813245140344845358148466515875"},"signature_type":"Function","deprecated":false,"target":{"function":"getRepository","file":"fineract-provider/src/main/java/org/apache/fineract/infrastructure/documentmanagement/contentrepository/ContentRepositoryFactory.java"},"signature_version":"v1","id":"CVE-2022-44635-597218cc","source":"https://github.com/apache/fineract/commit/90f854b68886458a466b048807c26ccf31a6f555"},{"digest":{"length":3823,"function_hash":"157657476025850870008571117033628322714"},"signature_type":"Function","deprecated":false,"target":{"function":"importWorkbook","file":"fineract-provider/src/main/java/org/apache/fineract/infrastructure/bulkimport/service/BulkImportWorkbookServiceImpl.java"},"signature_version":"v1","id":"CVE-2022-44635-6327e7c9","source":"https://github.com/apache/fineract/commit/90f854b68886458a466b048807c26ccf31a6f555"},{"digest":{"length":189,"function_hash":"26956595322337464863796696460997867577"},"signature_type":"Function","deprecated":false,"target":{"function":"fetchFile","file":"fineract-provider/src/main/java/org/apache/fineract/infrastructure/documentmanagement/contentrepository/FileSystemContentRepository.java"},"signature_version":"v1","id":"CVE-2022-44635-76bd76fb","source":"https://github.com/apache/fineract/commit/90f854b68886458a466b048807c26ccf31a6f555"},{"digest":{"length":429,"function_hash":"30630720117791817568375142309863450194"},"signature_type":"Function","deprecated":false,"target":{"function":"writeFileToFileSystem","file":"fineract-provider/src/main/java/org/apache/fineract/infrastructure/documentmanagement/contentrepository/FileSystemContentRepository.java"},"signature_version":"v1","id":"CVE-2022-44635-b550839f","source":"https://github.com/apache/fineract/commit/90f854b68886458a466b048807c26ccf31a6f555"},{"digest":{"line_hashes":["290733147405363131716157170297744781350","171742514963178480549000533520817147315","244380651064171403430122504524034556143","131848830385009185904888027080565249462","129577151012537404100882675339538719584","183561973388541304953387592703538882919","1691888000511687589916469772540395210","271295491802697536272128188030790518155","327914174205727439095868789368031542897","14281999096349903483211911451291779731","11535685915387106111168195390214828378","306724374184274026143505056666197592396","6776654619753410337660829822110053122","207812146613396057472429680533756426851","127623427716121388208177283324602699857","64292456672175456297677707642562845562","79690194290125093357959589596519056883","288972550759624526293532465105540803148","289251155449000591840997886333294855121","58901251288455482757776659545037833407","33080473738526389795181812198602833390","20488657307084144507584292914745951514","235526728289177186276030826610748835886","327204019185754769407271241854738312123","203490035495604507361243294484940380918","142141199368385930371377162242792873902","195568032472403809483290187184977436336","147773012145241670486746096977237550387"],"threshold":0.9},"signature_type":"Line","deprecated":false,"target":{"file":"fineract-provider/src/main/java/org/apache/fineract/infrastructure/documentmanagement/contentrepository/FileSystemContentRepository.java"},"signature_version":"v1","id":"CVE-2022-44635-b88d7014","source":"https://github.com/apache/fineract/commit/90f854b68886458a466b048807c26ccf31a6f555"},{"digest":{"length":192,"function_hash":"219334126834884043840391103125026751225"},"signature_type":"Function","deprecated":false,"target":{"function":"deleteFileInternal","file":"fineract-provider/src/main/java/org/apache/fineract/infrastructure/documentmanagement/contentrepository/FileSystemContentRepository.java"},"signature_version":"v1","id":"CVE-2022-44635-c7d47632","source":"https://github.com/apache/fineract/commit/90f854b68886458a466b048807c26ccf31a6f555"},{"digest":{"line_hashes":["45804566911881964965880258516855418661","217284974128005338535191930346520843391","119361211039533209476386451460785086097","49675275339262749401929874149555576073","272834530818510120776147932868729265867","84800356107528021590030932152221473990","317596943331555921459978520414809510958","37686261679822523943930741787008863598","337914527217350888079694539185068263376","268110569407540807600615316023020396637","203457291866148430443969551069045152699","67890544069490582692450550907678184963","109647316895975894074387206124706492933"],"threshold":0.9},"signature_type":"Line","deprecated":false,"target":{"file":"fineract-provider/src/main/java/org/apache/fineract/infrastructure/bulkimport/service/BulkImportWorkbookServiceImpl.java"},"signature_version":"v1","id":"CVE-2022-44635-cae6753a","source":"https://github.com/apache/fineract/commit/90f854b68886458a466b048807c26ccf31a6f555"},{"digest":{"length":128,"function_hash":"302613775472807712167292276078157719882"},"signature_type":"Function","deprecated":false,"target":{"function":"getRepository","file":"fineract-provider/src/main/java/org/apache/fineract/infrastructure/documentmanagement/contentrepository/ContentRepositoryFactory.java"},"signature_version":"v1","id":"CVE-2022-44635-fc20cb4d","source":"https://github.com/apache/fineract/commit/90f854b68886458a466b048807c26ccf31a6f555"},{"digest":{"line_hashes":["183212286132335441830579932720797076092","202533192653601833581495246028596436438","226135292886902465745883409908639081409","224626643227632232292092261257462647430","203079776918701771478985598876749658148","313031135324766457911788947231295226907","310923028817152656633183729501779947494","169365811610944753413855783715440958405","207307924154199858032293986368628953182","235016805383715033138004703861084412691","45219846187101252312196244757190041131","339772509305153306562989924283341513839","46412348323836929219315986860310938086","97509751825814953693542434141419489483"],"threshold":0.9},"signature_type":"Line","deprecated":false,"target":{"file":"fineract-provider/src/main/java/org/apache/fineract/infrastructure/documentmanagement/contentrepository/ContentRepositoryFactory.java"},"signature_version":"v1","id":"CVE-2022-44635-ffc213e0","source":"https://github.com/apache/fineract/commit/90f854b68886458a466b048807c26ccf31a6f555"}],"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-44635.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}