

Security Advisory WSO2-2021-1350

Published: September 07, 2021

Version: 1.0.0

Severity: Medium

CVSS Score: 4.3 (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

---

AFFECTED PRODUCTS

• API Manager : 2.2.0 , 2.6.0 , 3.0.0 , 3.1.0 , 3.2.0 , 4.0.0

OVERVIEW

Unauthenticated access to non-sensitive registry resources.

DESCRIPTION

It is possible to download non-sensitive registry resources such as API documentation and API icons without being authenticated.

IMPACT

By leveraging this vulnerability, a person can access the particular registry resources of API documentation without authenticating to the management console.

SOLUTION

The recommended solution is to block these request URL paths from the LB level. Please allow only /registry/resource/_system/governance/apimgt/applicationdata/icons and block all other paths starting from /registry. The Icon path is used to display thumbnail icons in APIs hence it is required to be allowed. When it comes to API Manager 3.x and newer versions, the entire /registry path can be blocked from the LB level.

Info

If you are a WSO2 customer with a support subscription, use WSO2 Updates in order to apply the fix.