A ZIP file based directory traversal (Zip Slip) vulnerability was identified in the "Carbon Applications" add feature of WSO2 ESB. Remote code execution may be obtained by writing/overwriting specific files.
The vendor replied that this vulnerability was "Fixed in WUM" and no public disclosure was made.
This vulnerability requires:
- Valid user credentials
More details and the exploitation process can be found in this PDF.