WSO2 API Manager 3.0.0 does not properly restrict outbound network access from a Publisher node, opening up the possibility of SSRF to this node's entire intranet.
- WSO2 API Manager - Publisher Portal
WSO2 API Manager Publisher Portal provides certain functionalities that can be used to check if the API being published (backend endpoint) is reachable. Using the above functionality to perform external/internal network calls is the intended behaviour of the functionality and thus cannot be prevented from the product level.
These functionalities are secured via OAuth2 scopes (apim:api_create). Therefore, such functions can only be accessed by privileged publisher-users with creator, publisher or admin roles assigned to them. As an additional measure, in WSO2 API Manager - Security Guidelines for Production Deployment, WSO2 recommends that the outbound connections of the Publisher node should be restricted only to the nodes that the Publisher Portal is intended to communicate with.
Due to the aforementioned reasons, WSO2 does not consider this as a threat in the context of WSO2 API Manager. This feature has been intentionally provided to allow WSO2 API Manager Publisher users, who have the required permissions, to carry out operations related to API publishing.