Security Advisory WSO2-2021-1487

Published: February 14, 2022

Version: 1.0.0

Severity: Medium

CVSS Score: 6.4 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N)


  • WSO2 API Manager : 3.1.0 , 3.2.0 , 4.0.0
  • WSO2 IS as Key Manager : 5.10.0


API subscription status is not validated when invoking the API with API Key.


In order to access the API resources, consumers need to subscribe to the APIs and access them with an OAuth2 token or API Key. However, when the API Key is used to consume the resources from the API, API gateway fails to verify the subscription validity status of API Key.


This vulnerability allows consumers to access the API resources using the already generated API Key before unsubscribing the API (until the API Key expires). Therefore by leveraging this vulnerability a malicious actor can consume the resource from the unsubscribed API without the API owner's consent. In addition, If the application has an already generated API key without the expiration period for an unsubscribed API, then the API owner will not have the ability to manage that application subscription since the API subscription is not listed against the API in the Publisher.


If the latest version of the affected WSO2 product is not mentioned under the affected product list, you may migrate to the latest version to receive security fixes.

Otherwise, you may apply the relevant fixes to the product based on the public fix(s):


If you are a WSO2 customer with a support subscription, use WSO2 Updates in order to apply the fix.