WSO2 API Manager Improper Privilege Management Vulnerability in Dynamic Client Registration Endpoint

A vulnerability allowing improper privilege management has been identified in WSO2 API Manager versions 4.5.0, 4.4.0, 4.3.0, 4.2.0, 4.1.0, 4.0.0, 3.2.1, and 3.2.0. This vulnerability arises from inadequate authentication and authorization checks in the keymanager-operations Dynamic Client Registration (DCR) endpoint. As a result, malicious users can exploit this flaw to generate access tokens with elevated privileges, potentially leading to administrative access and the ability to perform unauthorized operations.

Impact

Exploitation of this vulnerability could allow an attacker to gain administrative privileges and execute unauthorized actions within the application.

Remediation

Users of WSO2 API Manager can update to version 4.5.0, 4.4.0, 4.3.0, 4.2.0, 4.1.0, 4.0.0, 3.2.1, or 3.2.0. Community users can apply the public fix available on GitHub. WSO2 Support Subscription Holders can use WSO2 Updates to apply the fix.