Published: 08th September 2020
CVSS Score: 8.7 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:H)
WSO2 API Manager : 3.2.0 or earlier
WSO2 API Manager Analytics : 2.5.0, 2.2.0
WSO2 Enterprise Integrator : 6.6.0 or earlier
WSO2 Governance Registry : 5.4.0
WSO2 IS as Key Manager : 5.10.0 or ealier
WSO2 Identity Server : 5.10.0 or earlier
WSO2 Identity Server Analytics : 5.6.0 or earlier
A potential XXE and XSS have been identified in the Feature Management section of the Management Console.
A potential XML Entity processing vulnerability was identified in the Feature Management section of the Management console, which can be used to extract sensitive information and cause denial of service. In addition, a potential Cross Site Scripting (XSS) vulnerability was identified in the same feature.
A malicious actor who has authenticated access to the Management Console, may use maliciously crafted feature repositories to exploit the XXE vulnerability and read confidential files from the file system or access HTTP resources that are reachable to the vulnerable product. The same vulnerability could be used in performing denial of service attack.
If a feature repository uses unencrypted channels (HTTP without SSL/TLS), a malicious actor may use Man-inthe-Middle techniques, without having to authenticate to the management console to inject such malicious payloads.
In combination with the XXE a malicious actor may exploit the XSS issue to perform a phishing attack on another administrator. This can only be exploited when another administrator performs Feature Management related operations.
If security guidelines for production deployment provided by WSO2 are followed and access to Management Console is properly restricted, the impact of this issue is greatly reduced.
If you are using an affected product version, it is highly recommended to migrate to the latest released version to receive security fixes.
The affected feature is already deprecated and has been removed from the latest versions of WSO2 products. To remove the affected feature from the product versions that have this feature installed, you may also apply the relevant fixes based on the changes from the public fix: https://github.com/wso2/carbon-kernel/pull/2764
If you are a WSO2 customer with Support Subscription, please use WSO2 Update Manager (WUM) updates in order to apply the fix.
2020-09-24: API Manager 3.2.0 added to the affected product list.
WSO2 thanks, Mal Aware for responsibly reporting the identified issue and working with us as we addressed it.