Description
An information disclosure vulnerability exists in multiple WSO2 products due to improper implementation of the enrich mediator. Authenticated users may be able to view unintended business data from other mediation contexts because the internal state is not properly isolated or cleared between executions. This vulnerability does not impact user credentials or access tokens but may lead to leakage of sensitive business information handled during message flows.
CVSS breakdown
CVSS 3.1
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
Affected products
- WSO2 / WSO2 API Manager0 – 3.2.0
- WSO2 / WSO2 API Manager3.2.0 – 3.2.0.422
- WSO2 / WSO2 API Manager3.2.1 – 3.2.1.42
- WSO2 / WSO2 API Manager4.1.0 – 4.1.0.152
- WSO2 / WSO2 API Manager4.3.0 – 4.3.0.55
- WSO2 / WSO2 Micro integrator0 – 1.2.0
- WSO2 / WSO2 Micro integrator1.2.0 – 1.2.0.157
- WSO2 / WSO2 Micro integrator4.1.0 – 4.1.0.95