CVE-2024-6763¶
WSO2 Products impacted: no
Customers actions required: no
REPORTED VULNERABILITY¶
The HttpURI class does insufficient validation on the authority segment of a URI1.
REPORTED PRODUCTS¶
- WSO2 Identity Server : 5.10.0, 5.11.0, 6.0.0, 6.1.0, 7.0.0, 7.1.0
- WSO2 API Manager : 3.0.0, 3.1.0, 3.2.0, 4.0.0, 4.1.0, 4.2.0, 4.3.0, 4.4.0
- WSO2 MI Dashboard : 1.2.0, 4.1.0, 4.2.0
- WSO2 Integration Control Plane : 1.0.0
WSO2 JUSTIFICATION¶
In Jetty HTTP version 12.0.12 and onwards, this vulnerability has been addressed. However, Jetty HTTP 12.0.x requires Java 17 to support this dependency2. Meanwhile, WSO2 IS versions 5.10.0 to 7.1.0 still support Java versions below 17. Due to these concerns, we are publishing this CVE justification with a detailed analysis of the CVE, outlining how associated risks are mitigated in WSO2 products and the actions WSO2 is taking in response.
As part of our analysis, we conducted a comprehensive review of WSO2 Identity Server’s usage of Jetty’s HttpURI class, including static code analysis and runtime dependency tracing. Our investigation confirmed that the HttpURI class, which is the specific component that could be exploited through this vulnerability, is neither referenced nor invoked anywhere in the WSO2 Identity Server codebase. Therefore, we conclude that this vulnerability does not pose a security risk to WSO2 Identity Server products.