9.8

CVE-2025-9152

Improper Privilege Management in Multiple WSO2 API Manager via keymanager-operations DCR Endpoint

An improper privilege management vulnerability exists in WSO2 API Manager due to missing authentication and authorization checks in the keymanager-operations Dynamic Client Registration (DCR) endpoint.

A malicious user can exploit this flaw to generate access tokens with elevated privileges, potentially leading to administrative access and the ability to perform unauthorized operations.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Wso2Api Control Plane Version4.5.0 Update-
Wso2Api Manager Version3.2.0
Wso2Api Manager Version3.2.1
Wso2Api Manager Version4.0.0
Wso2Api Manager Version4.1.0 Update-
Wso2Api Manager Version4.2.0 Update-
Wso2Api Manager Version4.3.0 Update-
Wso2Api Manager Version4.4.0 Update-
Wso2Api Manager Version4.5.0 Update-
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.68% 0.475
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
ed10eef1-636d-4fbe-9993-6890dfa878f8 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-306 Missing Authentication for Critical Function

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4483/
Vendor Advisory