Security Advisory WSO2-2019-0571¶
Published: November 04, 2019
Severity: Medium
CVSS Score: 4.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)
AFFECTED PRODUCTS¶
- WSO2 Enterprise Integrator
OVERVIEW¶
Providing users with an option to disable the try-it functionality.
DESCRIPTION¶
If the try-it service is exposed publicly without authentication, it leads to facilitate Server Side Request Forgery (SSRF) attacks.
IMPACT¶
An attacker can leverage SSRF to access services.
SOLUTION¶
Upgrade the product to 6.5.0 or a higher version, which is not affected by this SSRF vulnerability. If you have any questions, post them to security@wso2.com.
Info
It is highly recommended to migrate older versions of the WSO2 products to the latest released version to receive security fixes.
CREDITS¶
WSO2 thanks, Soner Soydinc for responsibly reporting the identified issue and working with us as we addressed them.