CVE-2024-4598

An information disclosure vulnerability exists in multiple WSO2 products due to improper implementation of the enrich mediator. Authenticated users may be able to view unintended business data from other mediation contexts because the internal state is not properly isolated or cleared between executions. This vulnerability does not impact user credentials or access tokens but may lead to leakage of sensitive business information handled during message flows.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2024-3355/	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:wso2:api_manager:3.2.0:::::::*
	cpe:2.3:a:wso2:api_manager:3.2.1:::::::*
	cpe:2.3:a:wso2:api_manager:4.1.0:-::::::
	cpe:2.3:a:wso2:api_manager:4.3.0:-::::::
	cpe:2.3:a:wso2:micro_integrator:1.2.0:::::::*
	cpe:2.3:a:wso2:micro_integrator:4.1.0:::::::*

History

No history.

Information

Published : 2025-09-23 11:15

Updated : 2025-10-06 13:36

NVD link : CVE-2024-4598

Mitre link : CVE-2024-4598

CVE.ORG link : CVE-2024-4598

JSON object : View

Products Affected

wso2

api_manager
micro_integrator

CWE

CWE-1259

Improper Restriction of Security Token Assignment

{"id": "CVE-2024-4598", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "ed10eef1-636d-4fbe-9993-6890dfa878f8", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2025-09-23T11:15:39.063", "references": [{"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2024-3355/", "tags": ["Vendor Advisory"], "source": "ed10eef1-636d-4fbe-9993-6890dfa878f8"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-1259"}]}], "descriptions": [{"lang": "en", "value": "An information disclosure vulnerability exists in multiple WSO2 products due to improper implementation of the enrich mediator. Authenticated users may be able to view unintended business data from other mediation contexts because the internal state is not properly isolated or cleared between executions.\n\nThis vulnerability does not impact user credentials or access tokens but may lead to leakage of sensitive business information handled during message flows."}], "lastModified": "2025-10-06T13:36:30.390", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:wso2:api_manager:3.2.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E31E32CD-497E-4EF5-B3FC-8718EE06EDAD"}, {"criteria": "cpe:2.3:a:wso2:api_manager:3.2.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B58251E8-606B-47C8-8E50-9F9FC8C179BD"}, {"criteria": "cpe:2.3:a:wso2:api_manager:4.1.0:-:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "51465410-6B7C-40FD-A1AB-A14F650A6AC8"}, {"criteria": "cpe:2.3:a:wso2:api_manager:4.3.0:-:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9EBAB99E-6F0F-4CE9-A954-E8878826304C"}, {"criteria": "cpe:2.3:a:wso2:micro_integrator:1.2.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "14F67374-8428-4BA4-91F4-78E520D39D93"}, {"criteria": "cpe:2.3:a:wso2:micro_integrator:4.1.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "94843455-1DEB-43A4-969E-8B93EF7FCE2F"}], "operator": "OR"}]}], "sourceIdentifier": "ed10eef1-636d-4fbe-9993-6890dfa878f8"}