

Security Advisory WSO2-2025-4526/CVE-2025-9955

Published: 2025-10-15

Version: 1.0.0

Severity: Medium

CVSS Score: 5.7 (CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

CVE IDs: CVE-2025-9955

---

AFFECTED PRODUCTS

• WSO2 Enterprise Integrator: 6.6.0, 6.5.0, 6.4.0, 6.3.0, 6.2.0, 6.1.1, 6.1.0, 6.0.0
• WSO2 Enterprise Service Bus: 5.0.0

OVERVIEW

Improper access control on internal SOAP Admin Services used for system logs and user-store configuration.

DESCRIPTION

Due to improper permissions defined in SOAP Admin Services, a low-privileged user can view system logs and details of user-store configuration.

IMPACT

A low-privileged user can view system logs and details of user-store configuration. User information or confidential user-store configurations such as credentials are not affected.

SOLUTION

Community Users (Open Source)

Apply the relevant fixes to your product using the public fix(es) provided below.

• https://github.com/wso2/carbon-kernel/pull/4374

and create a service-access-control.xml file in following paths with following given content:

• <EI_PRODUCT_HOME>/conf/service-access-control.xml
• <EI_PRODUCT_HOME>/wso2/broker/conf/service-access-control.xml
• <EI_PRODUCT_HOME>/wso2/business-process/conf/service-access-control.xml

service-access-control.xml content

    <?xml version="1.0" encoding="UTF-8"?>
    <!--
    ~ Copyright (c) 2025, WSO2 LLC. (http://www.wso2.org) All Rights Reserved.
    ~
    ~ WSO2 LLC. licenses this file to you under the Apache License,
    ~ Version 2.0 (the "License"); you may not use this file except
    ~ in compliance with the License.
    ~ You may obtain a copy of the License at
    ~
    ~     http://www.apache.org/licenses/LICENSE-2.0
    ~
    ~ Unless required by applicable law or agreed to in writing,
    ~ software distributed under the License is distributed on an
    ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
    ~ KIND, either express or implied.  See the License for the
    ~ specific language governing permissions and limitations
    ~ under the License.
    -->

    <ServiceAccessControl>
    <Enabled>true</Enabled>
    <Services>

        <Service>
        <Name>LogViewer</Name>
        <AuthenticationEnabled>true</AuthenticationEnabled>
        <Permissions>
            <Permission>/permission/admin/monitor/logs</Permission>
        </Permissions>
        </Service>

        <Service>
        <Name>UserProfileMgtService</Name>
        <AuthenticationEnabled>true</AuthenticationEnabled>
        <Operations>
            <Operation name="isReadOnlyUserStore">
            <Permissions>
                <Permission>/permission/admin/manage/identity/userstore/config/view</Permission>
            </Permissions>
            </Operation>
            <Operation name="getProfileFieldsForInternalStore">
            <Permissions>
                <Permission>/permission/admin/manage/identity/userstore/config/view</Permission>
            </Permissions>
            </Operation>
            <Operation name="isAddProfileEnabled">
            <Permissions>
                <Permission>/permission/admin/manage/identity/userstore/config/view</Permission>
            </Permissions>
            </Operation>
            <Operation name="isAddProfileEnabledForDomain">
            <Permissions>
                <Permission>/permission/admin/manage/identity/userstore/config/view</Permission>
            </Permissions>
            </Operation>
            <Operation name="getNameAssociatedWith">
            <Permissions>
                <Permission>/permission/admin/manage/identity/user/association/view</Permission>
            </Permissions>
            </Operation>
            <Operation name="getAssociatedIDsForUser">
            <Permissions>
                <Permission>/permission/admin/manage/identity/user/association/view</Permission>
            </Permissions>
            </Operation>
            <Operation name="removeAssociateIDForUser">
            <Permissions>
                <Permission>/permission/admin/manage/identity/user/association/delete</Permission>
            </Permissions>
            </Operation>
        </Operations>
        </Service>

        <Service>
        <Name>UserAdmin</Name>
        <AuthenticationEnabled>true</AuthenticationEnabled>
        <Operations>
            <Operation name="hasMultipleUserStores">
            <Permissions>
                <Permission>/permission/admin/manage/identity/userstore/config/view</Permission>
            </Permissions>
            </Operation>
            <Operation name="changePasswordByUser">
            <AuthenticationEnabled>false</AuthenticationEnabled>
            </Operation>
        </Operations>
        </Service>

    </Services>
    </ServiceAccessControl>

Support Subscription Holders

Update your product to the specified update level or a higher update level to apply the fix.

Info

WSO2 Support Subscription Holders may use WSO2 Updates in order to apply the fix.

Product Name	Product Version	Update Level
WSO2 Enterprise Integrator	6.6.0	222
WSO2 Enterprise Integrator	6.5.0	107
WSO2 Enterprise Integrator	6.4.0	100
WSO2 Enterprise Integrator	6.3.0	70
WSO2 Enterprise Integrator	6.2.0	62
WSO2 Enterprise Integrator	6.1.1	43
WSO2 Enterprise Integrator	6.1.0	39
WSO2 Enterprise Integrator	6.0.0	22
WSO2 Enterprise Service Bus	5.0.0	29