CVE-2023-6839: 
WSO2 API Manager vulnerability analysis and mitigation

A REST API resource vulnerability was discovered in WSO2 API Manager versions 4.0.0, 3.2.0, 3.1.0, and 3.0.0. The vulnerability was assigned CVE-2023-6839 and was disclosed on December 15, 2023. The issue stems from improper error handling in a REST API resource that could expose internal system information (WSO2 Advisory).

The vulnerability is classified as CWE-209 (Generation of Error Message Containing Sensitive Information). It has been assigned a CVSS v3.1 Base Score of 5.3 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N. The technical issue involves improper error handling in a REST API resource that could expose a server-side error containing an internal WSO2-specific package name in the HTTP response (NVD).

The vulnerability allows an unauthenticated malicious actor to gain visibility of an internal package name. This information disclosure could be useful for attackers to understand technical information about the underlying system, specifically regarding the usage of the WSO2 product (WSO2 Advisory).

Users are advised to either migrate to the latest version of the affected WSO2 product if it's not listed under the affected product list, or apply the relevant fixes based on the public fix available at https://github.com/wso2/carbon-apimgt/pull/10444. WSO2 customers with a support subscription should use WSO2 Updates to apply the fix (WSO2 Advisory).