Security Advisory WSO2-2022-2165

Published: May 31, 2024

Version: 1.0.0

Severity: High

CVSS Score: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)


  • WSO2 API Manager : 4.2.0 , 4.1.0 , 4.0.0 , 3.2.0 , 3.1.0 , 3.0.0 , 2.6.0 , 2.5.0 , 2.2.0 , 2.1.0
  • WSO2 IS as Key Manager : 5.10.0 , 5.9.0 , 5.7.0
  • WSO2 Identity Server : 6.0.0 , 5.11.0 , 5.10.0 , 5.9.0 , 5.8.0 , 5.7.0


Sensitive information disclosure.


Following unused files, can be accessible over the web browser without any authorization. It could lead to a security threat if an entity has configured any sensitive values within these unused files.

  • <PRODUCT_HOME>/repository/deployment/server/webapps/authenticationendpoint/
  • <PRODUCT_HOME>/repository/deployment/server/webapps/accountrecoveryendpoint/


The portals with the problematic configuration (authenticationendpoint and accountrecoveryendpoint) can be deployed in two methods.

In the default deployment mode where authenticationendpoint & accountrecoveryendpoint portals are hosted within the Identity Server itself, the default REST API password could be exposed through the .properties files in the root folder. But WSO2 has strongly recommended through deployment security guidelines to change the default REST API passwords 1 (step 2 - first 2 points). The modification is made through the deployment.toml. This will only change the config file inside the <PRODUCT_HOME>/repository/conf folder, and will not alter the file in question. Hence a malicious actor will not be able to get hold of modified passwords. In summary, if you have already changed the default REST API password, and have done it through deployment. The toml REST API credentials are not exposed.

The second mode of deployment where the authentication and recovery portals are externally hosted outside of the Identity server. In this approach, though we recommend changing the default password, the changed passwords could be accessible through the browser as we are asking the users to update the file in question through the documentation in the [1] (step 2 : 3rd, 4th point). In such a case, it should be assumed that the REST API credential has been exposed.

However, WSO2 APIs use custom authentication mechanisms. Therefore, even if the malicious actor get hold of the credential exposed through the vulnerability, the malicious actor should be aware of the customized authentication method to make use of the credential.


If the latest version of the affected WSO2 product is not mentioned under the affected product list, you may migrate to the latest version to receive security fixes.

Otherwise, you may apply the relevant fixes to the product based on the public fix(s):

For externally hosted applications, WSO2 recommends removing the below-listed vulnerable files from the given location. Further, it must change the passwords and restart the server

  • webapps/authenticationendpoint/
  • webapps/accountrecoveryendpoint/

In deployments where the changed credential was exposed, it is further recommended to search your access logs for entries with and to confirm if an external party has accessed these configuration files.


If you are a WSO2 customer with Support Subscription, please use WSO2 Updates in order to apply the fix.