Security Advisory WSO2-2018-0462

Published: September 03, 2018

Version: 1.0.0

Severity: Medium

CVSS Score: 9.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N)


  • WSO2 Identity Server : 5.4.0 , 5.4.1 , 5.5.0 , 5.6.0
  • WSO2 Identity Server as Key Manager : 5.5.0 , 5.6.0
  • WSO2 Identity Server : 5.3.0 - Only if SCIM 2.0 Inbound Provisioning Connector is installed.
  • WSO2 Identity Server as Key Manager : 5.3.0 - Only if SCIM 2.0 Inbound Provisioning Connector is installed


An authentication and authorization bypass vulnerability has been detected in SCIM 2.0 API.


If the /scim2 endpoint of WSO2 Identity Server is exposed to the public, an attacker would be able to bypass the authentication and authorization of SCIM 2.0 API and execute the operations in the API.


By exploiting the vulnerability, an attacker would be able to get a user account created with a higher level of permissions bound to it and perform the actions in the system that the particular user account is permitted to.


The recommended solution is to modify the following configuration under the <ResourceAccessControl> element in IS_HOME/repository/conf/identity/identity.xml file and restart the server. Find the existing configuration and replace each entry with the new configuration.

Existing Configuration New Configuration
<Resource context="(.*)/api/identity/user/v1.0/validate-code" secured="true" http-method="all"/> <Resource context="(.*)/api/identity/user/v1.0/validate-code(.*)" secured="true" http-method="all"/>
<Resource context="(.*)/api/identity/user/v1.0/resend-code" secured="true" http-method="all"/> <Resource context="(.*)/api/identity/user/v1.0/resend-code(.*)" secured="true" http-method="all"/>
<Resource context="(.*)/api/identity/user/v1.0/me" secured="true" http-method="POST"/> <Resource context="(.*)/api/identity/user/v1.0/me(.*)" secured="true" http-method="POST"/>
<Resource context="(.*)/api/identity/user/v1.0/me" secured="true" http-method="GET"/> <Resource context="(.*)/api/identity/user/v1.0/me(.*)" secured="true" http-method="b"/>
<Resource context="(.*)/scim2/Users" secured="true" http-method="POST"> <Resource context="(.*)/scim2/Users(.*)" secured="true" http-method="POST">
<Resource context="(.*)/scim2/Groups" secured="true" http-method="POST"> <Resource context="(.*)/scim2/Groups(.*)" secured="true" http-method="POST">
<Resource context="/scim2/Bulk" secured="true" http-method="all"> <Resource context="/scim2/Bulk(.*)" secured="true" http-method="all">
<Resource context="(.*)/api/identity/consent-mgt/v1.0/consents/pii-categories" secured=" true" http-method="POST"> <Resource context="(.*)/api/identity/consent-mgt/v1.0/consents/pii-categories(.*)" secured=" true" http-method="POST">
<Resource context="(.*)/api/identity/consent-mgt/v1.0/consents/purposes" secured="true" http-method="POST"> <Resource context="(.*)/api/identity/consent-mgt/v1.0/consents/purposes(.*)" secured="true" http-method="POST">
<Resource context="(.*)/api/identity/consent-mgt/v1.0/consents/purpose-categories" secured="true" http-method="POST"> <Resource context="(.*)/api/identity/consent-mgt/v1.0/consents/purpose-categories(.*)" secured="true" http-method="POST">


If you are using newer versions of the products than the ones mentioned in the "SOLUTION" section, this vulnerability is fixed.