WSO2 Enterprise Integrator and Enterprise Service Bus Improper Access Control Vulnerability Allowing Unauthorized Log and Configuration Access

A vulnerability exists in WSO2 Enterprise Integrator versions 6.0.0 through 6.6.0 and WSO2 Enterprise Service Bus 5.0.0, due to improper access control on internal SOAP admin services. This flaw allows low-privileged users to access system log data and user-store configuration details that should not be available at their privilege level. While no sensitive user information or credentials are exposed, this vulnerability could provide unauthorized insight into internal operations, potentially facilitating further exploitation or reconnaissance.

Impact

Exploitation of this vulnerability allows low-privileged users to access system logs and user-store configuration details, excluding any confidential user information or credentials.

Remediation

Users of WSO2 Enterprise Integrator can apply the relevant fixes by updating to version 6.6.0, 6.5.0, 6.4.0, 6.3.0, 6.2.0, 6.1.1, 6.1.0 or 6.0.0. WSO2 Enterprise Service Bus users can update to version 5.0.0. Community users should apply the public fix available on GitHub, while support subscription holders can use WSO2 Updates to apply the fix.