CVE-2024-4598
Information Disclosure in Multiple WSO2 Products Due to Improper Handling in Enrich Mediator
In short
A vulnerability in WSO2 products allows authenticated users to see sensitive business data from other message flows due to improper isolation in the enrich mediator. This can leak private information processed by the system, though user passwords and security tokens remain protected.
Technical detail
The enrich mediator in multiple WSO2 products fails to properly isolate or reset internal state between mediation executions, allowing authenticated attackers to access sensitive business data from other mediation contexts via CWE-1259 (Improper Restriction of Rendered UI Layers or Frames). The vulnerability requires valid authentication and affects data confidentiality but not credential exposure.
Summary generated and translated by AI from the official description.
An information disclosure vulnerability exists in multiple WSO2 products due to improper implementation of the enrich mediator. Authenticated users may be able to view unintended business data from other mediation contexts because the internal state is not properly isolated or cleared between executions.
This vulnerability does not impact user credentials or access tokens but may lead to leakage of sensitive business information handled during message flows.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →