

Security Advisory WSO2-2021-1318

Published: June 27, 2023

Version: 1.0.0

Severity: Medium

CVSS Score: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

---

AFFECTED PRODUCTS

• WSO2 API Manager Analytics : 3.2.0 , 3.1.0 , 3.0.0
• WSO2 Enterprise Integrator : 6.6.0 , 6.5.0
• WSO2 Enterprise Integrator Analytics : 7.1.0
• WSO2 Identity Server Analytics : 5.8.0
• WSO2 Micro Integrator Monitoring Dashboard : 1.2.0 , 1.1.0
• WSO2 Stream Processor : 4.4.0
• WSO2 Streaming Integrator Tooling : 1.1.0 , 1.0.0

OVERVIEW

A WebSocket authentication bypass vulnerability in Analytics.

DESCRIPTION

Due to the improper session management, malicious actors can establish WebSocket connections without any authentication or authorization.

IMPACT

Using the said vulnerability a malicious unauthenticated actor may access analytics data.

SOLUTION

If the latest version of the affected WSO2 product is not mentioned under the affected product list, you may migrate to the latest version to receive security fixes.

Otherwise, you may apply the relevant fixes to the product based on the public fix(s):

• https://github.com/wso2/msf4j/pull/581
• https://github.com/wso2/carbon-analytics/pull/1921
• https://github.com/wso2/carbon-analytics/pull/1951
• https://github.com/wso2/carbon-dashboards/pull/1254
• https://github.com/wso2/analytics-apim/pull/1497

Info

If you are a WSO2 customer with a support subscription, use WSO2 Updates in order to apply the fix.