CVE-2024-3511

EUVD-2024-32097

23.06.2025, 09:15

An incorrect authorization vulnerability exists in multiple WSO2 products that allows unauthorized access to versioned files stored in the registry. Due to flawed authorization logic, a malicious actor with access to the management console can exploit a specific bypass method to retrieve versioned files without proper authorization.

Successful exploitation of this vulnerability could lead to unauthorized disclosure of configuration or resource files that may be stored as registry versions, potentially aiding further attacks or system reconnaissance.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	4.3 MEDIUM	ADJACENT_NETWORK	LOW	NONE	CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
WSO2	CNA	4.3 MEDIUM	ADJACENT_NETWORK	LOW	NONE	CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 7%

Affected Products (NVD)

Vendor	Product	Version
wso2	api_manager	3.2.0
wso2	api_manager	3.2.1
wso2	api_manager	4.0.0
wso2	api_manager	4.1.0
wso2	api_manager	4.2.0
wso2	api_manager	4.3.0
wso2	enterprise_integrator	6.6.0
wso2	identity_server	5.10.0
wso2	identity_server	5.11.0
wso2	identity_server	6.0.0
wso2	identity_server	6.1.0
wso2	identity_server	7.0.0
wso2	identity_server_as_key_manager	5.10.0
wso2	open_banking_am	2.0.0
wso2	open_banking_iam	2.0.0

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-863 - Incorrect Authorization
The software performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

References

https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2024-2702/