Published: 7th September 2021
CVSS Score: 4.3 (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
API Manager : 2.2.0 , 2.6.0 , 3.0.0 , 3.1.0 , 3.2.0 , 4.0.0
Unauthenticated access to non-sensitive registry resources
It is possible to download non-sensitive registry resources such as API documentation and API icons without being authenticated.
By leveraging this vulnerability, a person can access the particular registry resources of API documentation without authenticating to the management console.
The recommended solution is to block these request url paths from the LB level. Please allow only '/registry /resource/_system/governance/apimgt/applicationdata/icons' and block all other paths starting from "/registry". The Icon path is used to display thumbnail icons in APIs hence it is required to be allowed. When it comes to API Manager 3.x and newer versions, the entire '/registry' path can be blocked from the LB level.
Note: If you are a WSO2 customer with Support Subscription, please use WSO2 Updates in order to apply the fix.