

Security Advisory WSO2-2021-1453

Published: 7th September 2021

Version: 1.0.0

Severity: Medium

CVSS Score: 4.9 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N)

---

AFFECTED PRODUCTS

• WSO2 API Manager : 3.2.0 , 4.0.0

OVERVIEW

Sensitive information disclosed in API Publisher.

DESCRIPTION

When the API endpoints are secured with Basic Auth, Download API and Export functionality of API Publisher exposes Basic Auth credentials in clear text.

IMPACT

In order to exploit this vulnerability, the malicious actor should be able to reach API Publisher and should have a valid user account which has access to it. Due to the sensitive information disclosure, the malicious actor with such access may extract the credentials and perform direct backend endpoint invocations, or harm otherwise. In addition, already downloaded/exported archives affected by this issue could lead to unauthorized access to backend endpoints.

SOLUTION

If the latest version of the affected WSO2 product is not mentioned under the affected product list, you may migrate to the latest version to receive security fixes.

Otherwise, you may apply the relevant fixes to the product based on the public fix(s):

• https://github.com/wso2/carbon-apimgt/pull/10620

If you are affected by the impact relevant to already downloaded/exported archives, it is highly recommended to change Basic Auth credentials used in securing backend endpoints.

Info

If you are a WSO2 customer with a support subscription, use WSO2 Updates in order to apply the fix.