Security Advisory WSO2-2019-0661

Published: January 03, 2020

Severity: Medium

CVSS Score: 5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)


  • WSO2 Enterprise Integrator


Enterprise Integrator is allowing unauthenticated access to a JSP file in the management console.


Enterprise Integrator is vulnerable to unauthenticated access to a JSP file in the message processor configuration in the management console. This JSP file is called when the message processor configuration is updated from the source view.


An attacker can access the unauthenticated JSP file and extract data regarding the message processors without logging in.


Apply the following patches based on your product version by following the instructions in the README file. If you have any questions, post them to

Download the relevant patches based on the products you use following the matrix below. Patches can also be downloaded from Security Patch Releases.

Code Product Version Patch
EI WSO2 Enterprise Integrator 6.5.0 WSO2-CARBON-PATCH-4.4.0-5684

If you are using older versions of affected products, it is highly recommended to migrate to the latest released version to receive security fixes.


If you are a WSO2 customer with a support subscription, use WSO2 Update Manager (WUM) updates in order to apply the fix. This patch is intended for WSO2 community (free) users.

If you are using newer versions of the products than the ones mentioned in the SOLUTION section, this vulnerability is fixed.