-
Notifications
You must be signed in to change notification settings - Fork 71
June Public announcement #224
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
anjai94
wants to merge
4
commits into
wso2:main
Choose a base branch
from
anjai94:public_announcement
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Changes from all commits
Commits
Show all changes
4 commits
Select commit
Hold shift + click to select a range
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
117 changes: 117 additions & 0 deletions
117
en/docs/security-announcements/security-advisories/2026/WSO2-2025-4227.md
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,117 @@ | ||
| --- | ||
| title: Security Advisory WSO2-2025-4227/CVE-2025-5802 | ||
| category: security-announcements | ||
| published: "July 04, 2026" | ||
| version: "1.0" | ||
| severity: "Medium" | ||
| cvss: "5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)" | ||
| --- | ||
|
|
||
| # Security Advisory WSO2-2025-4227/CVE-2025-5802 | ||
|
|
||
| <p class="doc-info">Published: July 04, 2026</p> | ||
| <p class="doc-info">Updated: July 04, 2026</p> | ||
| <p class="doc-info">Version: 1.0</p> | ||
| <p class="doc-info">Severity: Medium</p> | ||
| <p class="doc-info">CVSS Score: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)</p> | ||
| <p class="doc-info">CVE IDs: <a href="https://www.cve.org/CVERecord?id=CVE-2025-5802">CVE-2025-5802</a></p> | ||
| --- | ||
|
|
||
| ### AFFECTED PRODUCTS | ||
| * WSO2 API Control Plane: 4.6.0, 4.5.0 | ||
| * WSO2 API Manager: 4.6.0, 4.5.0, 4.4.0, 4.3.0, 4.2.0, 4.1.0, 4.0.0, 3.2.1, 3.2.0, 3.1.0 | ||
| * WSO2 Identity Server: 7.2.0, 7.1.0, 7.0.0, 6.1.0, 6.0.0, 5.11.0, 5.10.0 | ||
| * WSO2 Identity Server as Key Manager: 5.10.0 | ||
| * WSO2 Open Banking AM: 2.0.0 | ||
| * WSO2 Open Banking IAM: 2.0.0 | ||
| * WSO2 Traffic Manager: 4.6.0, 4.5.0 | ||
| * WSO2 Universal Gateway: 4.6.0, 4.5.0 | ||
|
|
||
|
|
||
| ### OVERVIEW | ||
| Potential username enumeration in self registration flow. | ||
|
|
||
|
|
||
| ### DESCRIPTION | ||
| In the self-registration flow, attempting to sign up with a username that already exists triggers an error message indicating that the username is in use. This behavior can inadvertently reveal whether a username is registered, leading to username enumeration. | ||
|
|
||
|
|
||
| ### IMPACT | ||
| The discovery of valid usernames can increase the risk of brute force attacks, social engineering attacks, and information leakage. As an example, attackers can use the list of usernames to craft targeted phishing emails or other social engineering attacks to trick users into divulging sensitive information. | ||
|
|
||
|
|
||
| ### SOLUTION | ||
|
|
||
|
|
||
|
|
||
| #### Community Users (Open Source) | ||
| Apply the relevant fixes to your product using the public fix(es) provided below. | ||
|
|
||
| * [https://github.com/wso2-extensions/identity-governance/pull/1097](https://github.com/wso2-extensions/identity-governance/pull/1097) | ||
| * [https://github.com/wso2/product-apim/pull/14023](https://github.com/wso2/product-apim/pull/14023) | ||
| * [https://github.com/wso2/carbon-apimgt/pull/13650](https://github.com/wso2/carbon-apimgt/pull/13650) | ||
|
|
||
| If applying the fix or update is not feasible, migrate to the latest unaffected version of the respective WSO2 product(s). | ||
|
|
||
|
|
||
| #### Support Subscription Holders | ||
|
|
||
| Update your product to the specified update level or a higher update level to apply the fix. | ||
|
|
||
| !!! info todo | ||
| **WSO2 Support Subscription Holders may use [WSO2 Updates](https://wso2.com/updates/) in order to apply the fix.** | ||
|
|
||
| | Product Name | Product Version | Update Level | | ||
| | ----------------------------------- | --------------- | ------------ | | ||
| | WSO2 API Control Plane | 4.6.0 | 18 | | ||
| | WSO2 API Control Plane | 4.5.0 | 56 | | ||
| | WSO2 API Manager | 4.6.0 | 17 | | ||
| | WSO2 API Manager | 4.5.0 | 55 | | ||
| | WSO2 API Manager | 4.4.0 | 72 | | ||
| | WSO2 API Manager | 4.3.0 | 112 | | ||
| | WSO2 API Manager | 4.2.0 | 200 | | ||
| | WSO2 API Manager | 4.1.0 | 262 | | ||
| | WSO2 API Manager | 4.0.0 | 379 | | ||
| | WSO2 API Manager | 3.2.1 | 96 | | ||
| | WSO2 API Manager | 3.2.0 | 458 | | ||
| | WSO2 API Manager | 3.2.0 | 478 | | ||
| | WSO2 API Manager | 3.1.0 | 354 | | ||
| | WSO2 Identity Server | 7.2.0 | 3 | | ||
| | WSO2 Identity Server | 7.1.0 | 41 | | ||
| | WSO2 Identity Server | 7.0.0 | 133 | | ||
| | WSO2 Identity Server | 6.1.0 | 234 | | ||
| | WSO2 Identity Server | 6.1.0 | 257 | | ||
| | WSO2 Identity Server | 6.0.0 | 257 | | ||
| | WSO2 Identity Server | 5.11.0 | 430 | | ||
| | WSO2 Identity Server | 5.10.0 | 383 | | ||
| | WSO2 Identity Server as Key Manager | 5.10.0 | 374 | | ||
| | WSO2 Open Banking AM | 2.0.0 | 403 | | ||
| | WSO2 Open Banking IAM | 2.0.0 | 423 | | ||
| | WSO2 Traffic Manager | 4.6.0 | 17 | | ||
| | WSO2 Traffic Manager | 4.5.0 | 54 | | ||
| | WSO2 Universal Gateway | 4.6.0 | 17 | | ||
| | WSO2 Universal Gateway | 4.5.0 | 55 | | ||
|
|
||
| After applying the provided update or public PR to the affected product versions, follow the instructions below to apply the required configurations for the respective product to fully mitigate the identified vulnerability. | ||
|
|
||
| **WSO2 Identity Server 7.2.0, 7.1.0 and 7.0.0** | ||
|
|
||
| In the Console, navigate to Login & Registration and uncheck "Display message if username unavailable" with account verification enabled. (This configuration was already available in 7.1.0 upwards and is now extended to cover additional flows.) | ||
|
|
||
| **WSO2 Identity Server 6.1.0 and 6.0.0** | ||
|
|
||
| In the Carbon Management Console, navigate to `Home > Identity > Identity Providers > Resident > User Onboarding > Self Registration`. Uncheck the newly introduced configuration "Display message if username unavailable" with account confirmation enabled. | ||
|
|
||
| **WSO2 Identity Server 5.11.0** | ||
|
|
||
| In the Carbon Management Console, navigate to `Home > Identity > Identity Providers > Resident > User Onboarding > Self Registration`. Uncheck the newly introduced configuration "Display message if username unavailable". | ||
|
|
||
| **WSO2 Identity Server 5.10.0** | ||
|
|
||
| In the `Carbon Management Console, navigate to Home > Identity > Identity Providers > Resident > Account Management Policies > User Self Registration`. Uncheck the newly introduced configuration "Display message if username unavailable" with account confirmation enabled. | ||
|
|
||
| **WSO2 API Manager 3.2.0, 3.2.1, 4.0.0, 4.1.0, 4.2.0, 4.3.0, 4.4.0, 4.5.0 and 4.6.0** | ||
|
|
||
| In the `Carbon Management Console, navigate to Main > Home > Identity > Identity Providers > Resident > User Onboarding > Self Registration`. Uncheck the newly introduced configuration "Display message if username unavailable" and check “Send sign up confirmation email” and “Lock user account on creation” configurations with account verification via email enabled. | ||
|
|
||
|
|
126 changes: 126 additions & 0 deletions
126
en/docs/security-announcements/security-advisories/2026/WSO2-2026-4608.md
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,126 @@ | ||
| --- | ||
| title: WSO2-2026-4608 | ||
| --- | ||
|
|
||
| # WSO2-2026-4608 | ||
|
|
||
| Content to be added. | ||
| --- | ||
| title: Security Advisory WSO2-2026-4608/CVE-2026-3863 | ||
| category: security-announcements | ||
| published: "July 04, 2026" | ||
| version: "1.0" | ||
| severity: "Medium" | ||
| cvss: "4.9" | ||
| --- | ||
|
|
||
| # Security Advisory WSO2-2026-4608/CVE-2026-3863 | ||
|
|
||
| <p class="doc-info">Published: July 04, 2026</p> | ||
| <p class="doc-info">Updated: July 04, 2026</p> | ||
| <p class="doc-info">Version: 1.0</p> | ||
| <p class="doc-info">Severity: Medium</p> | ||
| <p class="doc-info">CVSS Score: 4.9</p> | ||
| <p class="doc-info">CVE IDs: <a href="https://www.cve.org/CVERecord?id=CVE-2026-3863">CVE-2026-3863</a></p> | ||
| --- | ||
|
|
||
| ### AFFECTED PRODUCTS | ||
| * WSO2 API Control Plane: 4.6.0, 4.5.0 | ||
| * WSO2 API Manager: 4.6.0, 4.5.0, 4.4.0, 4.3.0, 4.2.0, 4.1.0, 3.2.1, 3.2.0 | ||
| * WSO2 Traffic Manager: 4.6.0, 4.5.0 | ||
| * WSO2 Universal Gateway: 4.6.0, 4.5.0 | ||
|
|
||
|
|
||
| ### OVERVIEW | ||
| Authenticated Denial-of-Service (DoS) vulnerability. | ||
|
|
||
|
|
||
| ### DESCRIPTION | ||
| An authenticated user with publisher privileges can submit a URL referencing a large file. Processing this file can lead to uncontrolled memory consumption, potentially resulting in an out-of-memory condition. | ||
|
|
||
|
|
||
| ### IMPACT | ||
| A user with publisher privileges can exploit this vulnerability. A successful exploitation could result in the complete unavailability of the service. | ||
|
|
||
|
|
||
| ### SOLUTION | ||
|
|
||
|
|
||
|
|
||
| #### Community Users (Open Source) | ||
| Apply the relevant fixes to your product using the public fix(es) provided below. | ||
|
|
||
| * [https://github.com/wso2/product-apim/pull/14151](https://github.com/wso2/product-apim/pull/14151) | ||
| * [https://github.com/wso2/carbon-apimgt/pull/13784](https://github.com/wso2/carbon-apimgt/pull/13784) | ||
|
|
||
| If applying the fix or update is not feasible, migrate to the latest unaffected version of the respective WSO2 product(s). | ||
|
|
||
|
|
||
| #### Support Subscription Holders | ||
|
|
||
| Update your product to the specified update level or a higher update level to apply the fix. | ||
|
|
||
| !!! info todo | ||
| **WSO2 Support Subscription Holders may use [WSO2 Updates](https://wso2.com/updates/) in order to apply the fix.** | ||
|
|
||
| | Product Name | Product Version | Update Level | | ||
| | ---------------------- | --------------- | ------------ | | ||
| | WSO2 API Control Plane | 4.6.0 | 25 | | ||
| | WSO2 API Control Plane | 4.5.0 | 61 | | ||
| | WSO2 API Manager | 4.6.0 | 24 | | ||
| | WSO2 API Manager | 4.5.0 | 60 | | ||
| | WSO2 API Manager | 4.4.0 | 71 | | ||
| | WSO2 API Manager | 4.4.0 | 75 | | ||
| | WSO2 API Manager | 4.3.0 | 110 | | ||
| | WSO2 API Manager | 4.2.0 | 199 | | ||
| | WSO2 API Manager | 4.1.0 | 259 | | ||
| | WSO2 API Manager | 3.2.1 | 93 | | ||
| | WSO2 API Manager | 3.2.0 | 474 | | ||
| | WSO2 Traffic Manager | 4.6.0 | 24 | | ||
| | WSO2 Traffic Manager | 4.5.0 | 58 | | ||
| | WSO2 Universal Gateway | 4.6.0 | 24 | | ||
| | WSO2 Universal Gateway | 4.5.0 | 60 | | ||
|
|
||
| After applying the provided update or public PR to the affected product versions, it is necessary to follow the below given instruction. | ||
|
|
||
| This update resolves the issue by enforcing a default file upload limit of 10 MB. To adjust this limit, you can modify the `<PRODUCT HOME>/repository/conf/deployment.toml` file. Apply the following configurations to increase or decrease the default file size limit as part of the security update: | ||
|
|
||
| * For WSO2 APIM 3.2.0, 3.2.1: | ||
|
|
||
| ```toml | ||
| [apim.publisher.import_definition_file_size_limit] | ||
| oas=20 | ||
| wsdl=20 | ||
| ``` | ||
|
|
||
| For WSO2 APIM 4.1.0, 4.2.0, 4.3.0, 4.4.0: | ||
|
|
||
| ```toml | ||
| [apim.publisher.import_definition_file_size_limit] | ||
| oas=20 | ||
| wsdl=20 | ||
| async=20 | ||
| ``` | ||
|
|
||
| * For WSO2 APIM 4.5.0: | ||
|
|
||
| ```toml | ||
| [apim.publisher.import_definition_file_size_limit] | ||
| oas=20 | ||
| wsdl=20 | ||
| async=20 | ||
| graphql=20 | ||
| ``` | ||
|
|
||
| * For WSO2 APIM 4.6.0: | ||
|
|
||
| ```toml | ||
| [apim.publisher.import_definition_file_size_limit] | ||
| oas=20 | ||
| wsdl=20 | ||
| async=20 | ||
| graphql=20 | ||
| mcp=20 | ||
| ``` | ||
|
|
||
| The aforementioned values represent the maximum file size limit in megabytes (MB) for importing API definitions through a URL across OAS, Async, WSDL, GraphQL, and MCP formats. | ||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.