CVE-2023-6839 - Vulnerability Details - OpenCVE

Due to improper error handling, a REST API resource could expose a server side error containing an internal WSO2 specific package name in the HTTP response.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00295.

Exploitation none

Automatable yes

Technical Impact partial

Vendors	Products
Wso2	Api Manager

Configuration 1 [-]

OR	cpe:2.3:a:wso2:api_manager:3.0.0:::::::*
	cpe:2.3:a:wso2:api_manager:3.1.0:::::::*
	cpe:2.3:a:wso2:api_manager:3.2.0:::::::*
	cpe:2.3:a:wso2:api_manager:4.0.0:::::::*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2023-59044	Due to improper error handling, a REST API resource could expose a server side error containing an internal WSO2 specific package name in the HTTP response.

Fixes

Solution

For WSO2 Subscription holders, the recommended solution is to apply the provided patch/update to the affected versions of the products. If there are any instructions given with the patch/update, please make sure those are followed properly. Community users may apply the relevant fixes to the product based on the public fix(s) advertised in https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2022/WSO2-2021-1... https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2022/WSO2-2021-1334/

Workaround

No workaround given by the vendor.

References

Link	Providers
https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2022/WSO2-2021-1334/

History

Tue, 08 Oct 2024 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: WSO2

Published: 2023-12-15T10:14:14.676Z

Updated: 2024-10-08T14:14:43.216Z

Reserved: 2023-12-15T10:13:25.068Z

Link: CVE-2023-6839

Vulnrichment

Updated: 2024-08-02T08:42:07.511Z

NVD

Status : Modified

Published: 2023-12-15T11:15:48.003

Modified: 2024-11-21T08:44:39.303

Link: CVE-2023-6839

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-6839", "assignerOrgId": "ed10eef1-636d-4fbe-9993-6890dfa878f8", "state": "PUBLISHED", "assignerShortName": "WSO2", "dateReserved": "2023-12-15T10:13:25.068Z", "datePublished": "2023-12-15T10:14:14.676Z", "dateUpdated": "2024-10-08T14:14:43.216Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "WSO2 API Manager", "repo": "https://github.com/wso2/product-apim", "vendor": "WSO2", "versions": [{"lessThan": "3.0.0.0", "status": "unknown", "version": "0", "versionType": "custom"}, {"lessThan": "3.0.0.15", "status": "affected", "version": "3.0.0.0", "versionType": "custom"}, {"lessThan": "3.2.0.32", "status": "affected", "version": "3.2.0.0", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Due to improper error handling, a REST API resource could expose a server side error containing an internal WSO2 specific package name in the HTTP response.</p>"}], "value": "Due to improper error handling, a REST API resource could expose a server side error containing an internal WSO2 specific package name in the HTTP response.\n\n"}], "impacts": [{"capecId": "CAPEC-37", "descriptions": [{"lang": "en", "value": "CAPEC-37 Retrieve Embedded Sensitive Data"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-209", "description": "CWE-209 Generation of Error Message Containing Sensitive Information", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "ed10eef1-636d-4fbe-9993-6890dfa878f8", "shortName": "WSO2", "dateUpdated": "2023-12-15T10:14:14.676Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2022/WSO2-2021-1334/"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "For WSO2 Subscription holders, the recommended solution is to apply the provided patch/update to the affected versions of the products. If there are any instructions given with the patch/update, please make sure those are followed properly.<br><br>Community users may apply the relevant fixes to the product based on the public fix(s) advertised in <a target=\"_blank\" rel=\"nofollow\" href=\"https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2022/WSO2-2021-1334/\">https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2022/WSO2-2021-1...</a><br>"}], "value": "For WSO2 Subscription holders, the recommended solution is to apply the provided patch/update to the affected versions of the products. If there are any instructions given with the patch/update, please make sure those are followed properly.\n\nCommunity users may apply the relevant fixes to the product based on the public fix(s) advertised in\u00a0 https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2022/WSO2-2021-1... https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2022/WSO2-2021-1334/ \n"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T08:42:07.511Z"}, "title": "CVE Program Container", "references": [{"tags": ["vendor-advisory", "x_transferred"], "url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2022/WSO2-2021-1334/"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-02-14T18:47:07.653315Z", "id": "CVE-2023-6839", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-08T14:14:43.216Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2022/WSO2-2021-1334/", "tags": ["vendor-advisory", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T08:42:07.511Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-6839", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-02-14T18:47:07.653315Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-08T14:14:36.538Z"}}], "cna": {"source": {"discovery": "UNKNOWN"}, "impacts": [{"capecId": "CAPEC-37", "descriptions": [{"lang": "en", "value": "CAPEC-37 Retrieve Embedded Sensitive Data"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/wso2/product-apim", "vendor": "WSO2", "product": "WSO2 API Manager", "versions": [{"status": "unknown", "version": "0", "lessThan": "3.0.0.0", "versionType": "custom"}, {"status": "affected", "version": "3.0.0.0", "lessThan": "3.0.0.15", "versionType": "custom"}, {"status": "affected", "version": "3.2.0.0", "lessThan": "3.2.0.32", "versionType": "custom"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "For WSO2 Subscription holders, the recommended solution is to apply the provided patch/update to the affected versions of the products. If there are any instructions given with the patch/update, please make sure those are followed properly.\n\nCommunity users may apply the relevant fixes to the product based on the public fix(s) advertised in\u00a0 https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2022/WSO2-2021-1... https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2022/WSO2-2021-1334/ \n", "supportingMedia": [{"type": "text/html", "value": "For WSO2 Subscription holders, the recommended solution is to apply the provided patch/update to the affected versions of the products. If there are any instructions given with the patch/update, please make sure those are followed properly.<br><br>Community users may apply the relevant fixes to the product based on the public fix(s) advertised in <a target=\"_blank\" rel=\"nofollow\" href=\"https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2022/WSO2-2021-1334/\">https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2022/WSO2-2021-1...</a><br>", "base64": false}]}], "references": [{"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2022/WSO2-2021-1334/", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "Due to improper error handling, a REST API resource could expose a server side error containing an internal WSO2 specific package name in the HTTP response.\n\n", "supportingMedia": [{"type": "text/html", "value": "<p>Due to improper error handling, a REST API resource could expose a server side error containing an internal WSO2 specific package name in the HTTP response.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-209", "description": "CWE-209 Generation of Error Message Containing Sensitive Information"}]}], "providerMetadata": {"orgId": "ed10eef1-636d-4fbe-9993-6890dfa878f8", "shortName": "WSO2", "dateUpdated": "2023-12-15T10:14:14.676Z"}}}, "cveMetadata": {"cveId": "CVE-2023-6839", "state": "PUBLISHED", "dateUpdated": "2024-10-08T14:14:43.216Z", "dateReserved": "2023-12-15T10:13:25.068Z", "assignerOrgId": "ed10eef1-636d-4fbe-9993-6890dfa878f8", "datePublished": "2023-12-15T10:14:14.676Z", "assignerShortName": "WSO2"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wso2:api_manager:3.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "8FF14774-8935-4FC9-B5C8-9771B3D6EBFD", "vulnerable": true}, {"criteria": "cpe:2.3:a:wso2:api_manager:3.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "1344FB79-0796-445C-A8F3-C03E995925D1", "vulnerable": true}, {"criteria": "cpe:2.3:a:wso2:api_manager:3.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "E31E32CD-497E-4EF5-B3FC-8718EE06EDAD", "vulnerable": true}, {"criteria": "cpe:2.3:a:wso2:api_manager:4.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "E21D7ABF-C328-425D-B914-618C7628220B", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Due to improper error handling, a REST API resource could expose a server side error containing an internal WSO2 specific package name in the HTTP response.\n\n"}, {"lang": "es", "value": "Debido a un manejo inadecuado de errores, un recurso de API REST podr\u00eda exponer un error del lado del servidor que contenga un nombre de paquete interno espec\u00edfico de WSO2 en la respuesta HTTP."}], "id": "CVE-2023-6839", "lastModified": "2024-11-21T08:44:39.303", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "ed10eef1-636d-4fbe-9993-6890dfa878f8", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-12-15T11:15:48.003", "references": [{"source": "ed10eef1-636d-4fbe-9993-6890dfa878f8", "tags": ["Vendor Advisory"], "url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2022/WSO2-2021-1334/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2022/WSO2-2021-1334/"}], "sourceIdentifier": "ed10eef1-636d-4fbe-9993-6890dfa878f8", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-209"}], "source": "ed10eef1-636d-4fbe-9993-6890dfa878f8", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-209"}], "source": "nvd@nist.gov", "type": "Primary"}]}