CVE-2024-3511
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
23/06/2025
Last modified:
06/10/2025
Description
An incorrect authorization vulnerability exists in multiple WSO2 products that allows unauthorized access to versioned files stored in the registry. Due to flawed authorization logic, a malicious actor with access to the management console can exploit a specific bypass method to retrieve versioned files without proper authorization.<br />
<br />
Successful exploitation of this vulnerability could lead to unauthorized disclosure of configuration or resource files that may be stored as registry versions, potentially aiding further attacks or system reconnaissance.
Impact
Base Score 3.x
4.30
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:wso2:api_manager:3.2.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:wso2:api_manager:3.2.1:*:*:*:*:*:*:* | ||
| cpe:2.3:a:wso2:api_manager:4.0.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:wso2:api_manager:4.1.0:-:*:*:*:*:*:* | ||
| cpe:2.3:a:wso2:api_manager:4.2.0:-:*:*:*:*:*:* | ||
| cpe:2.3:a:wso2:api_manager:4.3.0:-:*:*:*:*:*:* | ||
| cpe:2.3:a:wso2:enterprise_integrator:6.6.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:wso2:identity_server:5.10.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:wso2:identity_server:5.11.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:wso2:identity_server:6.0.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:wso2:identity_server:6.1.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:wso2:identity_server:7.0.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:wso2:identity_server_as_key_manager:5.10.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:wso2:open_banking_am:2.0.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:wso2:open_banking_iam:2.0.0:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page