SECURITY ADVISORY WSO2-2023-2803¶
Published: November 10, 2024
Version: 1.0.0
Severity: Critical
CVSS Score: 9.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L)
AFFECTED PRODUCTS¶
- WSO2 API Manager : 4.2.0
OVERVIEW¶
Broken Authentication Vulnerability in REST API Endpoints.
DESCRIPTION¶
A malicious actor could manipulate the REST API path and bypass authentication checks relevant to some Rest APIs.
IMPACT¶
Considering the most critical REST API endpoint affected by this vulnerability, the successful exploitation could allow a malicious actor to impersonate and authenticate as a different targeted user (including an administrator, given the username of the administrator user is known to the malicious actor).
SOLUTION¶
We highly recommend to migrate the latest version of respective WSO2 products to mitigate the identified vulnerabilities.
Info
If you are a WSO2 customer with Support Subscription, please use WSO2 Updates in order to apply the fix.