CVE-2024-3511

Summary

An incorrect authorization vulnerability exists in multiple WSO2 products that allows unauthorized access to versioned files stored in the registry. Due to flawed authorization logic, a malicious actor with access to the management console can exploit a specific bypass method to retrieve versioned files without proper authorization.

Successful exploitation of this vulnerability could lead to unauthorized disclosure of configuration or resource files that may be stored as registry versions, potentially aiding further attacks or system reconnaissance.

Affected Software

VendorProductVersion RangeStatus
WSO2WSO2 Enterprise Integrator0 < 6.6.0unknown
WSO2WSO2 Enterprise Integrator6.6.0 < 6.6.0.205affected
WSO2WSO2 API Manager0 < 3.1.0unknown
WSO2WSO2 API Manager3.1.0 < 3.1.0.273affected
WSO2WSO2 API Manager3.2.0 < 3.2.0.361affected
WSO2WSO2 API Manager3.2.1 < 3.2.1.13affected
WSO2WSO2 API Manager4.0.0 < 4.0.0.306affected
WSO2WSO2 API Manager4.1.0 < 4.1.0.163affected
WSO2WSO2 API Manager4.2.0 < 4.2.0.98affected
WSO2WSO2 API Manager4.3.0 < 4.3.0.17affected
WSO2WSO2 Identity Server as Key Manager0 < 5.10.0unknown
WSO2WSO2 Identity Server as Key Manager5.10.0 < 5.10.0.289affected
WSO2WSO2 Identity Server0 < 5.10.0unknown
WSO2WSO2 Identity Server5.10.0 < 5.10.0.292affected
WSO2WSO2 Identity Server5.11.0 < 5.11.0.333affected
WSO2WSO2 Identity Server6.0.0 < 6.0.0.180affected
WSO2WSO2 Identity Server6.1.0 < 6.1.0.141affected
WSO2WSO2 Identity Server7.0.0 < 7.0.0.8affected
WSO2WSO2 Open Banking AM0 < 2.0.0unknown
WSO2WSO2 Open Banking AM2.0.0 < 2.0.0.320affected
WSO2WSO2 Open Banking IAM0 < 2.0.0unknown
WSO2WSO2 Open Banking IAM2.0.0 < 2.0.0.341affected
WSO2WSO2 Carbon User Manager Kernel4.5.0 < 4.5.0.5affected
WSO2WSO2 Carbon User Manager Kernel4.5.3 < 4.5.3.35affected
WSO2WSO2 Carbon User Manager Kernel4.6.0 < 4.6.0.140affected
WSO2WSO2 Carbon User Manager Kernel4.6.1 < 4.6.1.107affected
WSO2WSO2 Carbon User Manager Kernel4.6.2 < 4.6.2.323affected
WSO2WSO2 Carbon User Manager Kernel4.6.3 < 4.6.3.18affected
WSO2WSO2 Carbon User Manager Kernel4.6.4 < 4.6.4.3affected
WSO2WSO2 Carbon User Manager Kernel4.7.1 < 4.7.1.47affected
WSO2WSO2 Carbon User Manager Kernel4.8.1 < 4.8.1.19affected
WSO2WSO2 Carbon User Manager Kernel4.9.0 < 4.9.0.52affected
WSO2WSO2 Carbon User Manager Kernel4.9.26 < 4.9.26.10affected
WSO2WSO2 Carbon User Manager Kernel4.10.9 < 4.10.9.8affected
WSO2WSO2 Carbon User Manager Kernel4.10.13 <= *unaffected

Weaknesses

  • CWE-863: CWE-863 Incorrect Authorization

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References