Security Advisory WSO2-2019-0655¶
Published: December 02, 2019
Severity: Medium
CVSS Score: 5.8 (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L)
AFFECTED PRODUCTS¶
- WSO2 IS as Key Manager
- WSO2 Identity Server
OVERVIEW¶
WSO2 Carbon Management Console retrieves several external JavaScript libraries via an unencrypted HTTP channel.
DESCRIPTION¶
Several JavaScript libraries used by the XACML entitlement user interfaces of WSO2 Carbon Management Console are retrieved from external sources over an unencrypted HTTP channel.
IMPACT¶
A malicious entity may intercept the unencrypted HTTP request used to retrieve the JavaScript content and/or alter the unencrypted HTTP response to include malicious content, in combination with other attack vectors such as Eavesdropper attacks.
SOLUTION¶
Upgrade the WSO2 IS as Key Manager to 5.9.0 and WSO2 Identity Server to 5.9.0 or higher released version which is not affected by this vulnerability. If you have any questions, post them to security@wso2.com.
Info
If you are a WSO2 customer with a support subscription, use WSO2 Update Manager (WUM) updates in order to apply the fix. This patch is intended for WSO2 community (free) users.