

CVE-2021-28490

WSO2 Products impacted: no

Customer action required: no

---

REPORTED VULNERABILITY

In OWASP CSRFGuard through version 3.1.0, the CSRF protection mechanism contains a design vulnerability that may allow the CSRF token to be obtained without adequate validation, potentially enabling unauthorized state-changing requests ¹. The NVD rates this vulnerability with a CVSS v3.1 score of 8.8 (High); however, the OWASP CSRFGuard maintainers and independent security databases assess the real-world severity as Low ^{2 3}, noting that successful exploitation depends on conditions that are not representative of standard production deployments.

REPORTED PRODUCTS

• WSO2 API Manager: 3.0.0, 3.1.0, 3.2.0, 3.2.1, 4.0.0, 4.1.0, 4.2.0, 4.3.0, 4.4.0, 4.5.0, 4.6.0

WSO2 JUSTIFICATION

WSO2 API Manager packages the OWASP CSRFGuard library as the OSGi bundle csrfguard_3.1.0.wso2vx.jar, based on the WSO2-maintained fork at version 3.1.0-wso2v2 ⁴. This version predates the 4.0.0 release in which the reported vulnerability was addressed. CVE-2021-28490 specifically concerns the CSRF token acquisition mechanism within the CSRFGuard library; the conditions required to exercise this vulnerability are not present in standard WSO2 API Manager deployments.

Severity reassessment

The NVD CVSS v3.1 score of 8.8 (High) represents a theoretical worst-case assessment. However, the OWASP CSRFGuard maintainers and multiple independent databases assess this vulnerability as Low severity, citing non-standard conditions required for exploitation that fall outside typical production deployments. WSO2 aligns with this reassessment:

• Multiple independent assessments: The OWASP CSRFGuard development team rates this as Low severity ³, Snyk assesses it as 3.1 (Low) ², and other independent databases similarly rate it below the NVD score. This convergence of expert opinion reflects the impracticality of exploitation under standard conditions.
• Environmental factors prevent exploitation: Browser security standards and typical WSO2 API Manager deployments do not expose the non-standard conditions required for this vulnerability. Exploitation would require significant deviations from standard deployment practices.
• No observed exploitation: The vulnerability's EPSS score of 0.141% (34^th percentile) confirms near-zero observed exploitation activity in the wild ⁵.

Based on this analysis, CVE-2021-28490 does not pose a practical security risk to the listed WSO2 API Manager versions under standard deployment conditions.

REFERENCES

---

1. https://nvd.nist.gov/vuln/detail/CVE-2021-28490 ↩

2. https://security.snyk.io/vuln/SNYK-JAVA-ORGOWASP-1912877 ↩↩

3. https://github.com/OWASP/www-project-csrfguard/issues/23 ↩↩

4. https://github.com/wso2/WSO2-OWASP-CSRFGuard/tree/v3.1.0-wso2v2 ↩

5. https://github.com/advisories/GHSA-jx66-5ww9-m6q4 ↩