cbcvebase.
CVE-2022-25237
published 2022-06-02

CVE-2022-25237: Bonita Web 2021.2 is affected by a authentication/authorization bypass vulnerability due to an overly broad exclude pattern used in the…

PriorityP193critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
56.22%
98.9th percentile
Bonita Web 2021.2 is affected by a authentication/authorization bypass vulnerability due to an overly broad exclude pattern used in the RestAPIAuthorizationFilter. By appending ;i18ntranslation or /../i18ntranslation/ to the end of a URL, users with no privileges can access privileged API endpoints. This can lead to remote code execution by abusing the privileged API actions.

Affected

1 ranges
VendorProductVersion rangeFixed in
bonitasoftbonita_web

Detection & IOCsextracted from sources · hover to see the quote

url/bonita/loginservice
url/bonita/API/pageUpload
path/i18ntranslation/../
cookieJSESSIONID=
cookieX-Bonita-API-Token=
snort
alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Bonitasoft Authorization Bypass and RCE Upload M2 (CVE-2022-25237)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/bonita/API/pageUpload"; startswith; content:"action=add"; http.uri.raw; content:"/i18ntranslation/../"; fast_pattern; http.cookie; content:"JSESSIONID="; content:"X-Bonita-API-Token="; reference:url,rhinosecuritylabs.com/application-security/cve-2022-25237-bonitasoft-authorization-bypass/; reference:cve,2022-25237; classtype:attempted-admin; sid:2036820; rev:1; metadata:attack_target Server, created_at 2022_06_03, cve CVE_2022_25237, deployment Perimeter, deployment SSLDecrypt, confidence High, signature_severity Major, updated_at 2022_06_03;)
snort
alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET WEB_SPECIFIC_APPS Bonitasoft Default User Login Attempt M1 (Possible Staging for CVE-2022-25237)"; flow:established,to_server; flowbits:set,ET.BonitaDefaultCreds; http.method; content:"POST"; http.uri; content:"/bonita/loginservice"; fast_pattern; http.request_body; content:"username=install"; content:"password=install"; reference:url,rhinosecuritylabs.com/application-security/cve-2022-25237-bonitasoft-authorization-bypass/; reference:cve,2022-25237; classtype:attempted-admin; sid:2036815; rev:1; metadata:attack_target Server, created_at 2022_06_03, cve CVE_2022_25237, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence Medium, signature_severity Minor, updated_at 2022_06_03;)
  • Detect authorization bypass attempts by looking for ;i18ntranslation or /../i18ntranslation/ appended to Bonita API URLs in HTTP URI fields.
  • Use Wireshark filter `urlencoded-form.key == "username" && !(http contains "install")` to enumerate unique credential stuffing usernames against Bonitasoft loginservice.
  • Detect default credential login attempts against Bonitasoft: POST to /bonita/loginservice with body containing username=install and password=install (ET SID 2036815).
  • Detect RCE upload exploitation stage: POST to /bonita/API/pageUpload with action=add and URI containing /i18ntranslation/../ while cookies include both JSESSIONID and X-Bonita-API-Token (ET SID 2036820).
  • Use Shodan/FOFA queries to identify exposed Bonita instances: Shodan `http.title:"Bonita" || "Server: Bonita"`, FOFA `title="Bonita" || header="Server: Bonita"`.
  • Post-exploitation persistence: monitor writes to /home/ubuntu/.ssh/authorized_keys as the attacker used the privileged API to plant an SSH public key.
  • Map attacker SSH key persistence to MITRE ATT&CK T1098.004 (Account Manipulation: SSH Authorized Keys).
  • ·The Nuclei template targets specifically Bonita Web version 2021.2; the bypass payload and detection logic may not apply to patched or newer versions.
  • ·The Snort/ET rules (SID 2036820, 2036815) require SSL decryption to be effective against HTTPS-protected Bonita deployments, as noted in the deployment metadata.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.