Security Advisory WSO2-2019-0661¶
Published: January 03, 2020
Severity: Medium
CVSS Score: 5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
AFFECTED PRODUCTS¶
- WSO2 Enterprise Integrator
OVERVIEW¶
Enterprise Integrator is allowing unauthenticated access to a JSP file in the management console.
DESCRIPTION¶
Enterprise Integrator is vulnerable to unauthenticated access to a JSP file in the message processor configuration in the management console. This JSP file is called when the message processor configuration is updated from the source view.
IMPACT¶
An attacker can access the unauthenticated JSP file and extract data regarding the message processors without logging in.
SOLUTION¶
Apply the following patches based on your product version by following the instructions in the README file. If you have any questions, post them to security@wso2.com.
Download the relevant patches based on the products you use following the matrix below. Patches can also be downloaded from Security Patch Releases.
| Code | Product | Version | Patch |
|---|---|---|---|
| EI | WSO2 Enterprise Integrator | 6.5.0 | WSO2-CARBON-PATCH-4.4.0-5684 |
If you are using older versions of affected products, it is highly recommended to migrate to the latest released version to receive security fixes.
Info
If you are a WSO2 customer with a support subscription, use WSO2 Update Manager (WUM) updates in order to apply the fix. This patch is intended for WSO2 community (free) users.
If you are using newer versions of the products than the ones mentioned in the SOLUTION section, this vulnerability is fixed.