Authorization Gap in WSO2 Products Allowing Unauthorized File Access
CVE-2024-3511

4.3MEDIUM

Key Information:

Vendor: Wso2
Status: Wso2 Enterprise Integrator; Wso2 Api Manager; Wso2 Identity Server As Key Manager; Wso2 Identity Server
Vendor: CVE Published:; 23 June 2025

What is CVE-2024-3511?

An authorization vulnerability in multiple WSO2 products allows unauthorized access to versioned files stored in the registry. Exploiting this flaw enables a malicious actor, with access to the management console, to bypass authorization controls and retrieve sensitive configuration or resource files. This unauthorized access may compromise the integrity of systems and expose critical data, opening doors to further attacks or reconnaissance activities. Timely updates and security measures are essential for safeguarding against this risk.

Affected Version(s)

WSO2 API Manager 3.1.0 < 3.1.0.273

WSO2 API Manager 3.2.0 < 3.2.0.361

WSO2 API Manager 3.2.1 < 3.2.1.13

References

https://security.docs.wso2.com/en/latest/security-announc...

vendor-advisory

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 23, 2025
Vulnerability Reserved
Apr 9, 2024

Credit

Viral Maniar - Security Researcher at Preemptive Cyber Security Pty Ltd

Wso2

What is CVE-2024-3511?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit