Published: 1st July 2020
CVSS Score: 4.1 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N)
WSO2 API Manager : 3.0.0 or earlier
WSO2 API Manager Analytics : 2.5.0 or earlier
WSO2 API Microgateway : 2.2.0
WSO2 Data Analytics Server : 3.2.0
WSO2 Enterprise Integrator : 6.6.0 or earlier
WSO2 Identity Server : 5.9.0 or earlier
WSO2 IS as Key Manager : 5.9.0 or earlier
WSO2 Identity Server Analytics : 5.6.0 or earlier
Server Side Request Forgery (SSRF) vulnerability in Management Console usable in time-based analysis.
It was identified that the intended behaviour of a deprecated feature available in the Management Console of WSO2 products could also be used to perform a Server Side Request Forgery (SSRF) which does not expose any sensitive information or response data other than being able to map internal network based on response times.
As per WSO2's security guidelines for production deployments, it is highly advised to restrict Management Console access to internal trusted networks. If access is available to the UI (/carbon) or the admin services (/services) of the Management Console, this vulnerability can be used by an authenticated administrator to perform a time-based identification of other open ports or available services within the deployment. Any information regarding the response data, including the success or failure of the server side request, is not exposed. However, if there are other services in the deployment that allow unauthenticated state changing operations via HTTP GET requests, those operations could be invoked by using this vulnerability.
This vulnerability was identified in an already deprecated feature that is not used in regular operations of the product. Latest version of WSO2 products have completely removed the affected feature. If you are using an affected product version, it is highly recommended to migrate to the latest released version.
WSO2 thanks, Paweł Hałdrzyński (Limpid Security) for responsibly reporting the identified issue and working with us as we addressed it.