CVE-2024-3511

Description

An incorrect authorization vulnerability exists in multiple WSO2 products that allows unauthorized access to versioned files stored in the registry. Due to flawed authorization logic, a malicious actor with access to the management console can exploit a specific bypass method to retrieve versioned files without proper authorization. Successful exploitation of this vulnerability could lead to unauthorized disclosure of configuration or resource files that may be stored as registry versions, potentially aiding further attacks or system reconnaissance.

CVSS breakdown

CVSS 3.1

Attack Vector

Adjacent

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Affected products

WSO2 / WSO2 API Manager3.2.1 – 3.2.1.13
WSO2 / WSO2 API Manager4.0.0 – 4.0.0.306
WSO2 / WSO2 API Manager4.1.0 – 4.1.0.163
WSO2 / WSO2 API Manager4.2.0 – 4.2.0.98
WSO2 / WSO2 API Manager4.3.0 – 4.3.0.17
WSO2 / WSO2 API Manager0 – 3.1.0
WSO2 / WSO2 API Manager3.1.0 – 3.1.0.273
WSO2 / WSO2 API Manager3.2.0 – 3.2.0.361
WSO2 / WSO2 Carbon User Manager Kernel4.6.4 – 4.6.4.3
WSO2 / WSO2 Carbon User Manager Kernel4.6.3 – 4.6.3.18
WSO2 / WSO2 Carbon User Manager Kernel4.6.2 – 4.6.2.323
WSO2 / WSO2 Carbon User Manager Kernel4.6.1 – 4.6.1.107
WSO2 / WSO2 Carbon User Manager Kernel4.5.3 – 4.5.3.35
WSO2 / WSO2 Carbon User Manager Kernel4.6.0 – 4.6.0.140
WSO2 / WSO2 Carbon User Manager Kernel4.5.0 – 4.5.0.5
WSO2 / WSO2 Carbon User Manager Kernel4.10.13 – *
WSO2 / WSO2 Carbon User Manager Kernel4.10.9 – 4.10.9.8
WSO2 / WSO2 Carbon User Manager Kernel4.9.26 – 4.9.26.10
WSO2 / WSO2 Carbon User Manager Kernel4.9.0 – 4.9.0.52
WSO2 / WSO2 Carbon User Manager Kernel4.8.1 – 4.8.1.19
WSO2 / WSO2 Carbon User Manager Kernel4.7.1 – 4.7.1.47
WSO2 / WSO2 Enterprise Integrator0 – 6.6.0
WSO2 / WSO2 Enterprise Integrator6.6.0 – 6.6.0.205
WSO2 / WSO2 Identity Server6.0.0 – 6.0.0.180
WSO2 / WSO2 Identity Server0 – 5.10.0
WSO2 / WSO2 Identity Server5.10.0 – 5.10.0.292
WSO2 / WSO2 Identity Server5.11.0 – 5.11.0.333
WSO2 / WSO2 Identity Server7.0.0 – 7.0.0.8
WSO2 / WSO2 Identity Server6.1.0 – 6.1.0.141
WSO2 / WSO2 Identity Server as Key Manager0 – 5.10.0
WSO2 / WSO2 Identity Server as Key Manager5.10.0 – 5.10.0.289
WSO2 / WSO2 Open Banking AM2.0.0 – 2.0.0.320
WSO2 / WSO2 Open Banking AM0 – 2.0.0
WSO2 / WSO2 Open Banking IAM0 – 2.0.0
WSO2 / WSO2 Open Banking IAM2.0.0 – 2.0.0.341

References

VENDOR_ADVISORYhttps://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2024-2702/