

Security Advisory WSO2-2021-1411

Published: December 03, 2021

Version: 1.0.0

Severity: Medium

CVSS Score: 5.9 (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L)

---

AFFECTED PRODUCTS

• WSO2 API Manager : 2.2.0 , 2.5.0 , 2.6.0 , 3.0.0 , 3.1.0 , 3.2.0 , 4.0.0
• WSO2 IoT Server : 3.3.1

OVERVIEW

Insecure file upload vulnerability in the API Publisher REST API.

DESCRIPTION

API Publisher REST API can be used to upload executable files for documentation resources. Such documentation resource can be downloaded from the API Publisher/Store.

IMPACT

In order to exploit this vulnerability, the malicious actor should have a valid user account with the required privileges to authenticate to the API Publisher and should be able to call Publisher REST APIs. The possible impacts include delivering malicious executables to the end user of the API Publisher/Store. To have successful exploitation, the end user should download the malicious file using the documentation downloading feature and execute it. Such execution could lead to an impact on the confidentiality, integrity and availability of the system, depending on the behaviour of the executable.

SOLUTION

If the latest version of the affected WSO2 product is not mentioned under the affected product list, you may migrate to the latest version to receive security fixes.

Otherwise, you may apply the relevant fixes to the product based on the public fix(s):

• https://github.com/wso2/carbon-identity-framework/pull/3472

Info

If you are a WSO2 customer with a support subscription, use WSO2 Updates in order to apply the fix.