Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Reported Vulnerability

Improper file extension validation in file upload feature of WSO2 API Manager.

Reported Products

WSO2 API Manager

WSO2 Clarification

WSO2 API Manager Publisher provides certain functionalities that can be used to upload any types of files as the API documentation which is an expected behaviour. This helps API publishers market their APIs.

Furthermore, only the authenticated users who have the permission to publish an API would be able to upload the file. The uploaded API documentation will also be stored in Registry (Database), and will not be persisted to the file system at any point.

Due to the aforementioned reasons, WSO2 does not consider this as a threat in the context of WSO2 API Manager. This feature has been intentionally provided to allow WSO2 API Manager Publisher users, who have the required permissions, to carry out uploading API documentation of any types.

CVE References

https://www.cvedetails.com/cve/CVE-2019-6513/