Security Advisory WSO2-2021-1350

Published: September 07, 2021

Version: 1.0.0

Severity: Medium

CVSS Score: 4.3 (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)


  • API Manager : 2.2.0 , 2.6.0 , 3.0.0 , 3.1.0 , 3.2.0 , 4.0.0


Unauthenticated access to non-sensitive registry resources.


It is possible to download non-sensitive registry resources such as API documentation and API icons without being authenticated.


By leveraging this vulnerability, a person can access the particular registry resources of API documentation without authenticating to the management console.


The recommended solution is to block these request URL paths from the LB level. Please allow only /registry/resource/_system/governance/apimgt/applicationdata/icons and block all other paths starting from /registry. The Icon path is used to display thumbnail icons in APIs hence it is required to be allowed. When it comes to API Manager 3.x and newer versions, the entire /registry path can be blocked from the LB level.


If you are a WSO2 customer with a support subscription, use WSO2 Updates in order to apply the fix.