WSO2 Products Information Disclosure Vulnerability via Improper Enrich Mediator Implementation

A vulnerability allowing information disclosure exists in multiple WSO2 products, including WSO2 API Manager and WSO2 Micro Integrator. This issue arises from an improper implementation of the enrich mediator, which fails to adequately isolate or clear the internal state between executions. As a result, authenticated users may inadvertently access business data from other mediation contexts. While this vulnerability does not affect user credentials or access tokens, it may lead to the unintentional leakage of sensitive business information processed during message flows.

Impact

Exploitation of this vulnerability could result in the unauthorized exposure of business information across different mediation contexts, potentially leading to the leakage of sensitive data. However, it does not impact user credentials or access tokens.

Remediation

Users are advised to update to the latest version of the respective WSO2 products. For WSO2 Support Subscription Holders, the WSO2 Updates service can be used to apply the fix.