ZK Framework AuUploader Information Disclosure (CVE-2022-36537)
Description
The ZK Framework's AuUploader component contains a path traversal vulnerability that allows remote attackers to read arbitrary files from the web application's file system without authentication. This affects applications using vulnerable versions of the ZK Framework, where the AuUploader component fails to properly validate file paths during upload operations, enabling directory traversal attacks.
Remediation
Immediately upgrade the ZK Framework to a patched version that addresses CVE-2022-36537. According to ZK-5150, this vulnerability is fixed in ZK 9.6.2, 10.0.0, and later versions. Follow these steps:
1. Identify your current ZK Framework version in your project dependencies (pom.xml for Maven or build.gradle for Gradle)
2. Update to ZK Framework version 9.6.2 or later (or 10.0.0+ if using ZK 10.x)
3. Test the AuUploader functionality thoroughly after upgrading to ensure compatibility
4. If immediate patching is not possible, implement temporary mitigations such as restricting access to upload endpoints through web application firewall rules or authentication requirements
5. Review application logs for any suspicious file access patterns that may indicate exploitation attempts