WSO2 Products Authentication Bypass Vulnerability in Management Console
Vulnerability
An authentication bypass vulnerability has been identified in the Management Console of multiple WSO2 products, including WSO2 API Manager, WSO2 Identity Server, WSO2 Traffic Manager, and others. This vulnerability allows a malicious actor with access to the console to manipulate the request URI, bypass authentication, and access restricted resources. While the vulnerability does not lead to full account compromise, it enables unauthorized access to internal system details, with the current known exposure limited to memory statistics.
Impact
Exploitation of this vulnerability allows unauthorized access to certain features in the Management Console, bypassing the need for valid user credentials. This could lead to partial information disclosure, specifically memory statistics.
Remediation
Community users can apply the public fix available on the WSO2 GitHub repository. Support subscription holders should update their product to the specified update level or a higher version to apply the fix.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.