Security Advisory WSO2-2021-1351

Published: December 03, 2021

Version: 1.0.0

Severity: Medium

CVSS Score: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)


  • WSO2 API Manager : 3.0.0 , 3.1.0 , 3.2.0


Improper Cross-Origin Resource Sharing (CORS) vulnerability in product REST APIs of API Manager.


The Product REST APIs of API Manager allow requests from all domains. This enables a malicious actor to make the victim's browser act as a proxy between a malicious website and the REST APIs.


By design, the API Manager's product REST APIs allow several unauthenticated operations such as listing user created publicly available APIs in the API Store 1. However, if those product APIs are restricted in a deployment using perimeter controls, by leveraging this vulnerability a malicious actor could steal the information from those unauthenticated API endpoints which are not supposed to be reached by them.


If the latest version of the affected WSO2 product is not mentioned under the affected product list, you may migrate to the latest version to receive security fixes.

Otherwise, you may apply the relevant fixes to the product based on the public fix(s):


If you are a WSO2 customer with a support subscription, use WSO2 Updates in order to apply the fix.