CVE-2025-5717
Gravedad CVSS v3.1:
MEDIA
Tipo:
CWE-94
Control incorrecto de generación de código (Inyección de código)
Fecha de publicación:
23/09/2025
Última modificación:
21/11/2025
Descripción
*** Pendiente de traducción *** An authenticated remote code execution (RCE) vulnerability exists in multiple WSO2 products due to improper input validation in the event processor admin service. A user with administrative access to the SOAP admin services can exploit this flaw by deploying a Siddhi execution plan containing malicious Java code, resulting in arbitrary code execution on the server.<br />
<br />
Exploitation of this vulnerability requires a valid user account with administrative privileges, limiting the attack surface to authenticated but potentially malicious users.
Impacto
Puntuación base 3.x
6.80
Gravedad 3.x
MEDIA
Productos y versiones vulnerables
| CPE | Desde | Hasta |
|---|---|---|
| cpe:2.3:a:wso2:api_control_plane:4.5.0:-:*:*:*:*:*:* | ||
| cpe:2.3:a:wso2:api_manager:3.0.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:wso2:api_manager:3.1.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:wso2:api_manager:3.2.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:wso2:api_manager:3.2.1:*:*:*:*:*:*:* | ||
| cpe:2.3:a:wso2:api_manager:4.0.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:wso2:api_manager:4.1.0:-:*:*:*:*:*:* | ||
| cpe:2.3:a:wso2:api_manager:4.2.0:-:*:*:*:*:*:* | ||
| cpe:2.3:a:wso2:api_manager:4.3.0:-:*:*:*:*:*:* | ||
| cpe:2.3:a:wso2:api_manager:4.4.0:-:*:*:*:*:*:* | ||
| cpe:2.3:a:wso2:api_manager:4.5.0:-:*:*:*:*:*:* | ||
| cpe:2.3:a:wso2:open_banking_am:2.0.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:wso2:traffic_manager:4.5.0:*:*:*:*:*:*:* |
Para consultar la lista completa de nombres de CPE con productos y versiones, ver esta página