Security Advisory WSO2-2021-1497

Published: December 03, 2021

Version: 1.0.0

Severity: High

CVSS Score: 8.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L)


  • WSO2 API Manager : 3.2.0 , 4.0.0


When invoking an API protected with API Key, signature of the cached API Key is not validated.


In order to access the API resources, consumers need to provide an OAuth2 token, or an API Key. When the API Key (which is based on JWT) is used to consume API resources, the API Gateway fails to verify the JWT signature of the cached API Key.


By leveraging this vulnerability, a malicious actor can access the API resources using tampered API Key with an invalid signature. However, CIA impact is dependent on the deployed APIs' use cases.


If the latest version of the affected WSO2 product is not mentioned under the affected product list, you may migrate to the latest version to receive security fixes.

Otherwise, you may apply the relevant fixes to the product based on the public fix(s):


If you are a WSO2 customer with a support subscription, use WSO2 Updates in order to apply the fix.