Security Advisory WSO2-2017-0261

Published: September 04, 2017

Severity: High

CVSS Score: 7.3 (CVSS:3.0/AV:P/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H)


AFFECTED PRODUCTS

  • WSO2 Governance Registry 5.4.0

OVERVIEW

A potential Session Fixation vulnerability has been identified in the Publisher and Store applications.

DESCRIPTION

The Store and Publisher applications do not renew the session ID upon user login, resulting in a potential Session Fixation vulnerability.

An attacker could potentially exploit this vulnerability by fixing a session ID or gaining access to an unauthenticated initial session ID and later using the same ID after the user authentication is completed.

IMPACT

An attacker could gain the same access level as the victim and perform activities by impersonating the victim.

SOLUTION

Apply the following patches based on your product version by following the instructions in the README file. If you have any questions, post them to security@wso2.com.

Download the relevant patches based on the products you use following the matrix below. Patches can also be downloaded from Security Patch Releases.

Code Product Version Patch
GREG WSO2 Governance Registry 5.4.0 WSO2-CARBON-PATCH-4.4.0-1221

Info

If you are using newer versions of the products than the ones mentioned in the "SOLUTION" section, this vulnerability is fixed.