Security Advisory WSO2-2021-1411

Published: December 03, 2021

Version: 1.0.0

Severity: Medium

CVSS Score: 5.9 (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L)


  • WSO2 API Manager : 2.2.0 , 2.5.0 , 2.6.0 , 3.0.0 , 3.1.0 , 3.2.0 , 4.0.0
  • WSO2 IoT Server : 3.3.1


Insecure file upload vulnerability in the API Publisher REST API.


API Publisher REST API can be used to upload executable files for documentation resources. Such documentation resource can be downloaded from the API Publisher/Store.


In order to exploit this vulnerability, the malicious actor should have a valid user account with the required privileges to authenticate to the API Publisher and should be able to call Publisher REST APIs. The possible impacts include delivering malicious executables to the end user of the API Publisher/Store. To have successful exploitation, the end user should download the malicious file using the documentation downloading feature and execute it. Such execution could lead to an impact on the confidentiality, integrity and availability of the system, depending on the behaviour of the executable.


If the latest version of the affected WSO2 product is not mentioned under the affected product list, you may migrate to the latest version to receive security fixes.

Otherwise, you may apply the relevant fixes to the product based on the public fix(s):


If you are a WSO2 customer with a support subscription, use WSO2 Updates in order to apply the fix.