||
Skip to end of metadata
Go to start of metadata

Reported Vulnerability

"Uploaded documents for API’s documentation on publisher part are available for unauthenticated user."

Reported Products

WSO2 API Manager 2.6.0

WSO2 Clarification

The uploaded documents for an API can be accessible without authentication only when the API visibility is set to public. If the visibility is set to some user role, the document will not be available without authentication and authorization. Furthermore, If we change the API visibility to restricted roles after adding the document, those roles will get applied to the existing uploaded documents and they will not be available for an unauthenticated user. This is the expected behavior of WSO2 API Manager. Therefore, if the API visibility is correctly set using user roles, this is not a vulnerability.

CVE References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6515

https://www.excellium-services.com/cert-xlm-advisory/cve-2019-6515/


  • No labels