Security Advisory WSO2-2021-1487

Published: 14th February 2022

Version: 1.0.0

Severity: Medium

CVSS Score:  6.4 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N)

AFFECTED PRODUCTS

WSO2 API Manager : 3.1.0 , 3.2.0 , 4.0.0
WSO2 IS as Key Manager : 5.10.0

OVERVIEW

API subscription status is not validated when invoking the API with API Key.

DESCRIPTION

In order to access the API resources, consumers need to subscribe to the APIs and access them with an OAuth2 token or API Key. However, when the API Key is used to consume the resources from the API, API gateway fails to verify the subscription validity status of API Key.

IMPACT

This vulnerability allows consumers to access the API resources using the already generated API Key before unsubscribing the API (until the API Key expires). Therefore by leveraging this vulnerability a malicious actor can consume the resource from the unsubscribed API without the API owner's consent. In addition, If the application has an already generated API key without the expiration period for an unsubscribed API, then the API owner will not have the ability to manage that application subscription since the API subscription is not
listed against the API in the Publisher.

SOLUTION

If the latest version of the affected WSO2 product is not mentioned under the affected product list, you may migrate to the latest version to receive security fixes. Otherwise you may apply the relevant fixes to the product based on the public fix: https://github.com/wso2/carbon-apimgt/pull/10663

Note: If you are a WSO2 customer with Support Subscription, please use WSO2 Updates in order to apply the fix.