An improper access control vulnerability exists in multiple WSO2 products due to insufficient permission enforcement in certain internal SOAP Admin Services and System REST APIs. A low-privileged user may exploit this flaw to perform unauthorized operations, including accessing server-level information. This vulnerability affects only internal administrative interfaces. APIs exposed through the WSO2 API Manager's API Gateway remain unaffected.
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HWso2 Api Control Plane
APPWso24.5.0Wso2 Api Manager
APPWso22.0.02.1.02.2.02.5.02.6.03.0.03.1.03.2.03.2.14.0.04.1.04.2.04.3.04.4.04.5.0Wso2 Api Manager Analytics
APPWso22.0.02.1.02.2.02.5.0Wso2 Data Analytics Server
APPWso23.1.03.2.0Wso2 Enterprise Integrator
APPWso26.2.06.3.0Wso2 Enterprise Mobility Manager
APPWso22.2.0Wso2 Enterprise Service Bus
APPWso25.0.0Wso2 Identity Server
APPWso25.10.05.11.05.2.05.3.05.4.05.4.15.5.05.6.05.7.05.8.05.9.06.0.06.1.07.0.07.1.0Wso2 Identity Server Analytics
APPWso25.2.05.3.05.5.05.6.0Wso2 Identity Server As Key Manager
APPWso25.10.05.3.05.5.05.6.05.7.05.9.0Wso2 Open Banking Am
APPWso21.4.01.5.02.0.0Wso2 Open Banking Iam
APPWso22.0.0Wso2 Open Banking Km
APPWso21.4.01.5.0Wso2 Traffic Manager
APPWso24.5.0Wso2 Universal Gateway
APPWso24.5.0
Related vulnerabilities
Certain WSO2 products allow unrestricted file upload with resultant remote code execution. The attacker must u...
WSO2 API Manager – RCE przez upload pliku z uprawnieniami administratora
Brak wymuszania uwierzytelniania mTLS w produktach WSO2 — nieautoryzowany dostęp administracyjny
Pominięcie kontroli dostępu w produktach WSO2 – nieautoryzowany dostęp administracyjny
WSO2 API Manager — brak uwierzytelniania w endpoincie DCR umożliwia eskalację uprawnień