An incorrect authorization vulnerability exists in multiple WSO2 products that allows unauthorized access to versioned files stored in the registry. Due to flawed authorization logic, a malicious actor with access to the management console can exploit a specific bypass method to
An incorrect authorization vulnerability exists in multiple WSO2 products that allows unauthorized access to versioned files stored in the registry. Due to flawed authorization logic, a malicious actor with access to the management console can exploit a specific bypass method to retrieve versioned files without proper authorization.
| Vendor | Product | Versions |
|---|---|---|
| WSO2 | WSO2 Enterprise Integrator | 0, 6.6.0 |
| WSO2 | WSO2 API Manager | 0, 3.1.0, 3.2.0, 3.2.1, 4.0.0, 4.1.0, 4.2.0, 4.3.0 |
| WSO2 | WSO2 Identity Server as Key Manager | 0, 5.10.0 |
| WSO2 | WSO2 Identity Server | 0, 5.10.0, 5.11.0, 6.0.0, 6.1.0, 7.0.0 |
| WSO2 | WSO2 Open Banking AM | 0, 2.0.0 |
| WSO2 | WSO2 Open Banking IAM | 0, 2.0.0 |
| WSO2 | WSO2 Carbon User Manager Kernel | 4.5.0, 4.5.3, 4.6.0, 4.6.1, 4.6.2, 4.6.3, 4.6.4, 4.7.1, 4.8.1, 4.9.0, 4.9.26, 4.10.9, 4.10.13 |
Not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog. EPSS is the best forward-looking signal — see the EPSS row above.
For the full vendor write-up, exploit chains, and reference implementations, see the references list in section 09.
Open the Sigma generator with a pre-filled prompt for this CVE to draft a starting detection in your stack of choice:
No directly-cited follow-up CVEs in the KB record for this advisory. The references list in section 09 carries the vendor cross-references.