||
Skip to end of metadata
Go to start of metadata

Published: 8th November 2016


OVERVIEW


WSO2 API Manager is vulnerable to unauthorized user access of swagger definition url import API in API Publisher.



DESCRIPTION


WSO2 API Manager provides an API for swagger definition import by swagger resource url. This particular API is vulnerable for unauthorized user access and it can be invoked by anonymous users. Thus an attacker who doesn’t even have credentials to access API Publisher can possibly access the swagger definition url import API.

In addition to that, the imported swagger content has not been validated by the API.



IMPACT

An attacker can invoke the swagger definition import API as an anonymous user and perform malicious activities. Further, the attacker can use an invalid url or a url with invalid swagger definition content, since it has not been validated during the swagger definition import time.



SOLUTION

Please use WSO2 Update Manager (WUM) to update the following product.


Code

Product

Version

AM

WSO2 API Manager

2.0.0


NOTES


If you are using newer versions of the products than the ones mentioned in the “SOLUTION” section, this vulnerability is fixed. 

  • No labels