Security Advisory WSO2-2017-0261

Published: September 04, 2017

Severity: High

CVSS Score: 7.3 (CVSS:3.0/AV:P/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H)


  • WSO2 Governance Registry 5.4.0


A potential Session Fixation vulnerability has been identified in the Publisher and Store applications.


The Store and Publisher applications do not renew the session ID upon user login, resulting in a potential Session Fixation vulnerability.

An attacker could potentially exploit this vulnerability by fixing a session ID or gaining access to an unauthenticated initial session ID and later using the same ID after the user authentication is completed.


An attacker could gain the same access level as the victim and perform activities by impersonating the victim.


Apply the following patches based on your product version by following the instructions in the README file. If you have any questions, post them to

Download the relevant patches based on the products you use following the matrix below. Patches can also be downloaded from Security Patch Releases.

Code Product Version Patch
GREG WSO2 Governance Registry 5.4.0 WSO2-CARBON-PATCH-4.4.0-1221


If you are using newer versions of the products than the ones mentioned in the "SOLUTION" section, this vulnerability is fixed.