CVE-2023-6835 - OpenCVE

Multiple WSO2 products have been identified as vulnerable due to lack of server-side input validation in the Forum feature, API rating could be manipulated.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Wso2	Iot Server Api Manager

Configuration 1 [-]

OR	cpe:2.3:a:wso2:api_manager:2.2.0:::::::*
	cpe:2.3:a:wso2:api_manager:2.5.0:::::::*
	cpe:2.3:a:wso2:api_manager:2.6.0:::::::*

Configuration 2 [-]

cpe:2.3:a:wso2:iot_server:3.3.1:*:*:*:*:*:*:*

References

Link	Resource
https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2021/WSO2-2021-1357/	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: WSO2

Published: 2023-12-15T09:16:27.473Z

Updated: 2023-12-15T09:16:27.473Z

Reserved: 2023-12-15T09:13:13.207Z

Link: CVE-2023-6835

JSON object: View

NVD Information

Status : Analyzed

Published: 2023-12-15T10:15:09.043

Modified: 2023-12-28T20:19:11.697

Link: CVE-2023-6835

JSON object: View

Redhat Information

No data.

CWE

CWE-20

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-6835", "assignerOrgId": "ed10eef1-636d-4fbe-9993-6890dfa878f8", "state": "PUBLISHED", "assignerShortName": "WSO2", "dateReserved": "2023-12-15T09:13:13.207Z", "datePublished": "2023-12-15T09:16:27.473Z", "dateUpdated": "2023-12-15T09:16:27.473Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "WSO2 API Manager", "repo": "https://github.com/wso2/product-apim", "vendor": "WSO2", "versions": [{"lessThan": "2.2.0.0", "status": "unknown", "version": "0", "versionType": "custom"}, {"lessThan": "2.2.0.16", "status": "affected", "version": "2.2.0.0", "versionType": "custom"}, {"lessThan": "2.5.0.17", "status": "affected", "version": "2.5.0.0", "versionType": "custom"}, {"lessThan": "2.6.0.24", "status": "affected", "version": "2.6.0.0", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "product": "WSO2 IoT Server", "repo": "https://github.com/wso2/product-iots", "vendor": "WSO2", "versions": [{"lessThan": "3.3.1.0", "status": "unknown", "version": "0", "versionType": "custom"}, {"lessThan": "3.3.1.17", "status": "affected", "version": "3.3.1.0", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Multiple WSO2 products have been identified as vulnerable d<span style=\"background-color: var(--wht);\">ue to lack of server-side input validation in the </span><strong>Forum</strong><span style=\"background-color: var(--wht);\"> feature, API rating could be manipulated.</span>"}], "value": "Multiple WSO2 products have been identified as vulnerable due to lack of server-side input validation in the Forum\u00a0feature, API rating could be manipulated."}], "impacts": [{"capecId": "CAPEC-153", "descriptions": [{"lang": "en", "value": "CAPEC-153 Input Data Manipulation"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "description": "CWE-20 Improper Input Validation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "ed10eef1-636d-4fbe-9993-6890dfa878f8", "shortName": "WSO2", "dateUpdated": "2023-12-15T09:16:27.473Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2021/WSO2-2021-1357/"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "For WSO2 Subscription holders, the recommended solution is to apply the provided patch/update to the affected versions of the products. If there are any instructions given with the patch/update, please make sure those are followed properly.<br><br>Community users may apply the relevant fixes to the product based on the public fix(s) advertised in <a target=\"_blank\" rel=\"nofollow\" href=\"https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2021/WSO2-2021-1357/\">https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2021/WSO2-2021-1...</a><br>"}], "value": "For WSO2 Subscription holders, the recommended solution is to apply the provided patch/update to the affected versions of the products. If there are any instructions given with the patch/update, please make sure those are followed properly.\n\nCommunity users may apply the relevant fixes to the product based on the public fix(s) advertised in\u00a0 https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2021/WSO2-2021-1... https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2021/WSO2-2021-1357/ \n"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wso2:api_manager:2.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "6819491F-C6C3-41C1-B27A-0D0B62224977", "vulnerable": true}, {"criteria": "cpe:2.3:a:wso2:api_manager:2.5.0:*:*:*:*:*:*:*", "matchCriteriaId": "0D57C8CF-084D-4142-9AF1-7C9F1261A3BD", "vulnerable": true}, {"criteria": "cpe:2.3:a:wso2:api_manager:2.6.0:*:*:*:*:*:*:*", "matchCriteriaId": "BC168B6A-B15A-4C3B-A38D-C0B65F24F333", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wso2:iot_server:3.3.1:*:*:*:*:*:*:*", "matchCriteriaId": "53EC589C-09C6-440C-AF9A-DD86A23311FE", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Multiple WSO2 products have been identified as vulnerable due to lack of server-side input validation in the Forum\u00a0feature, API rating could be manipulated."}, {"lang": "es", "value": "Se han identificado varios productos WSO2 como vulnerables debido a la falta de validaci\u00f3n de entrada del lado del servidor en la funci\u00f3n Foro; la clasificaci\u00f3n API podr\u00eda manipularse."}], "id": "CVE-2023-6835", "lastModified": "2023-12-28T20:19:11.697", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "ed10eef1-636d-4fbe-9993-6890dfa878f8", "type": "Secondary"}]}, "published": "2023-12-15T10:15:09.043", "references": [{"source": "ed10eef1-636d-4fbe-9993-6890dfa878f8", "tags": ["Vendor Advisory"], "url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2021/WSO2-2021-1357/"}], "sourceIdentifier": "ed10eef1-636d-4fbe-9993-6890dfa878f8", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-20"}], "source": "ed10eef1-636d-4fbe-9993-6890dfa878f8", "type": "Secondary"}]}