SECURITY ADVISORY WSO2-2023-2803

Published: November 10, 2024

Version: 1.0.0

Severity: Critical

CVSS Score: 9.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L)


AFFECTED PRODUCTS

  • WSO2 API Manager : 4.2.0

OVERVIEW

Broken Authentication Vulnerability in REST API Endpoints.

DESCRIPTION

A malicious actor could manipulate the REST API path and bypass authentication checks relevant to some Rest APIs.

IMPACT

Considering the most critical REST API endpoint affected by this vulnerability, the successful exploitation could allow a malicious actor to impersonate and authenticate as a different targeted user (including an administrator, given the username of the administrator user is known to the malicious actor).

SOLUTION

We highly recommend to migrate the latest version of respective WSO2 products to mitigate the identified vulnerabilities.

Info

If you are a WSO2 customer with Support Subscription, please use WSO2 Updates in order to apply the fix.