Security Advisory WSO2-2021-1453¶
Published: 7th September 2021
Version: 1.0.0
Severity: Medium
CVSS Score: 4.9 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N)
AFFECTED PRODUCTS¶
- WSO2 API Manager : 3.2.0 , 4.0.0
OVERVIEW¶
Sensitive information disclosed in API Publisher.
DESCRIPTION¶
When the API endpoints are secured with Basic Auth, Download API and Export functionality of API Publisher exposes Basic Auth credentials in clear text.
IMPACT¶
In order to exploit this vulnerability, the malicious actor should be able to reach API Publisher and should have a valid user account which has access to it. Due to the sensitive information disclosure, the malicious actor with such access may extract the credentials and perform direct backend endpoint invocations, or harm otherwise. In addition, already downloaded/exported archives affected by this issue could lead to unauthorized access to backend endpoints.
SOLUTION¶
If the latest version of the affected WSO2 product is not mentioned under the affected product list, you may migrate to the latest version to receive security fixes.
Otherwise, you may apply the relevant fixes to the product based on the public fix(s):
If you are affected by the impact relevant to already downloaded/exported archives, it is highly recommended to change Basic Auth credentials used in securing backend endpoints.
Info
If you are a WSO2 customer with a support subscription, use WSO2 Updates in order to apply the fix.