/
Security Advisory WSO2-2021-1574
com.atlassian.confluence.content.render.xhtml.migration.exceptions.UnknownMacroMigrationException: The macro 'next_previous_links' is unknown.

Security Advisory WSO2-2021-1574

Owned by Former user (Deleted)
Last updated: Feb 15, 2022

Published: 14th February 2022

Version: 1.0.0

Severity: Medium

CVSS Score:  5.5 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)


AFFECTED PRODUCTS

WSO2 API Manager : 2.2.0 , 2.5.0 , 2.6.0 , 3.0.0 , 3.1.0 , 3.2.0 , 4.0.0
WSO2 API Microgateway : 2.2.0
WSO2 IS as Key Manager : 5.10.0


OVERVIEW

Potential sensitive information disclosure via log files when JMS connection failure occurs.


DESCRIPTION

When special characters are contained in JMS connection credentials, JMS connection string (including credentials) are logged to "wso2carbon" log during JMS connection failures.


IMPACT

In order to leverage this vulnerability, a malicious actor should have the privileges to access the "wso2carbon" log files. If such access is obtained, a malicious actor could obtain the JMS connection credentials from log files, given the following conditions:

  • JMS connection credentials must contain special characters.
  • There were JMS connection failures that resulted in persisting the connection string (with credentials) to the log file.


SOLUTION

If the latest version of the affected WSO2 product is not mentioned under the affected product list, you may migrate to the latest version to receive security fixes. Otherwise you may apply the relevant fixes to the product based on the public fix: https://github.com/wso2/carbon-apimgt/pull/10787

Note: If you are a WSO2 customer with Support Subscription, please use WSO2 Updates in order to apply the fix.


Related content

com.atlassian.confluence.content.render.xhtml.migration.exceptions.UnknownMacroMigrationException: The macro 'next_previous_links2' is unknown.