Description
An authenticated remote code execution (RCE) vulnerability exists in multiple WSO2 products due to improper input validation in the event processor admin service. A user with administrative access to the SOAP admin services can exploit this flaw by deploying a Siddhi execution plan containing malicious Java code, resulting in arbitrary code execution on the server. Exploitation of this vulnerability requires a valid user account with administrative privileges, limiting the attack surface to authenticated but potentially malicious users.
CVSS breakdown
CVSS 3.1
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Affected products
- WSO2 / Siddhi Extension Evaluate Scripts3.2.10 – 3.2.10.1
- WSO2 / Siddhi Extension Evaluate Scripts3.2.14 – 3.2.14.1
- WSO2 / Siddhi Extension Evaluate Scripts3.2.13 – 3.2.13.2
- WSO2 / Siddhi Extension Evaluate Scripts3.2.15 – *
- WSO2 / Siddhi Extension Evaluate Scripts3.2.6 – 3.2.6.8
- WSO2 / Siddhi Extension Evaluate Scripts3.2.7 – 3.2.7.6
- WSO2 / Siddhi Extension Evaluate Scripts3.2.8 – 3.2.8.3
- WSO2 / WSO2 API Control Plane4.5.0 – 4.5.0.6
- WSO2 / WSO2 API Manager4.3.0 – 4.3.0.59
- WSO2 / WSO2 API Manager4.4.0 – 4.4.0.22
- WSO2 / WSO2 API Manager4.5.0 – 4.5.0.6
- WSO2 / WSO2 API Manager0 – 3.0.0
- WSO2 / WSO2 API Manager3.0.0 – 3.0.0.174
- WSO2 / WSO2 API Manager3.1.0 – 3.1.0.330
- WSO2 / WSO2 API Manager3.2.0 – 3.2.0.426
- WSO2 / WSO2 API Manager3.2.1 – 3.2.1.46
- WSO2 / WSO2 API Manager4.0.0 – 4.0.0.344
- WSO2 / WSO2 API Manager4.1.0 – 4.1.0.208
- WSO2 / WSO2 API Manager4.2.0 – 4.2.0.147
- WSO2 / WSO2 Open Banking AM2.0.0 – 2.0.0.379
- WSO2 / WSO2 Open Banking AM0 – 2.0.0
- WSO2 / WSO2 Traffic Manager4.5.0 – 4.5.0.6