Published: 8th November 2016
WSO2 API Manager is vulnerable to unauthorized user access of swagger definition url import API in API Publisher.
WSO2 API Manager provides an API for swagger definition import by swagger resource url. This particular API is vulnerable for unauthorized user access and it can be invoked by anonymous users. Thus an attacker who doesn’t even have credentials to access API Publisher can possibly access the swagger definition url import API.
In addition to that, the imported swagger content has not been validated by the API.
An attacker can invoke the swagger definition import API as an anonymous user and perform malicious activities. Further, the attacker can use an invalid url or a url with invalid swagger definition content, since it has not been validated during the swagger definition import time.
Please use WSO2 Update Manager (WUM) to update the following product.
WSO2 API Manager
If you are using newer versions of the products than the ones mentioned in the “SOLUTION” section, this vulnerability is fixed.