CVE-2023-49735¶
WSO2 Products impacted: no
Customers actions required: no
REPORTED VULNERABILITY¶
In Apache Tiles1, the DefaultLocaleResolver.LOCALE_KEY is used to store a user’s locale or language (like en, fr, etc.) in their session. If this unvalidated locale input is later used to resolve XML definition files, it can lead to path traversal or XML based attacks such as XXE and SSRF2.
REPORTED PRODUCTS¶
- WSO2 API Manager : 3.0.0, 3.1.0, 3.2.0, 3.2.1, 4.0.0, 4.1.0, 4.2.0, 4.3.0, 4.4.0, 4.5.0, 4.6.0, 4.7.0
- WSO2 Identity Server : 5.11.0, 6.0.0, 6.1.0, 7.0.0, 7.1.0, 7.2.0, 7.3.0
WSO2 JUSTIFICATION¶
In WSO2 codebase, user input is not used to set the DefaultLocaleResolver.LOCALE_KEY session attribute, and there are no usages of LOCALE_KEY.
The use of an extended class called CarbonUrlDefinitionsFactory which bypasses tiles context processing makes sure that it disables locale-based resolution of tiles definition files. It assumes the current context/locale is already fully loaded and therefore skips the logic that searches for and parses localized definition files. The application only serves base definitions loaded during initialization regardless of the user's browser language or session locale.
Additionally, XML parsing is hardened in WSO2 Products ensuring robust handling of malformed input and prevention of security vulnerabilities such as XXE attacks.
Based on this evidence, we conclude that this vulnerability does not pose a security risk to the impacted versions of WSO2 Products listed above.