Published: 3rd September 2021
CVSS Score: 4.9 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N)
WSO2 API Manager : 3.2.0 , 4.0.0
Sensitive information disclosed in API Publisher
When the API endpoints are secured with Basic Auth, "Download API" and Export functionality of API Publisher exposes Basic Auth credentials in clear text.
In order to exploit this vulnerability, the malicious actor should be able to reach API Publisher and should have a valid user account which has access to it. Due to the sensitive information disclosure, the malicious actor with such access may extract the credentials and perform direct backend endpoint invocations, or harm otherwise. In addition, already downloaded/exported archives affected by this issue could lead to unauthorized access to backend endpoints.
If the latest version of the affected WSO2 product is not mentioned under the affected product list, you may migrate to the latest version to receive security fixes. Otherwise you may apply the relevant fixes to the product based on the public fix: https://github.com/wso2/carbon-apimgt/pull/10620
If you are affected by the impact relevant to already downloaded/exported archives, it is highly recommended to change Basic Auth credentials used in securing backend endpoints.
Note: If you are a WSO2 customer with Support Subscription, please use WSO2 Updates in order to apply the fix.