

Security Advisory WSO2-2020-0722

Published: November 06, 2020

Version: 1.0.0

Severity: High

CVSS Score: 7.7 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N)

---

AFFECTED PRODUCTS

• WSO2 API Manager : 2.6.0 or earlier
• WSO2 API Microgateway : 2.2.0
• WSO2 IS as Key Manager : 5.7.0 or earlier
• WSO2 Identity Server : 5.7.0 or earlier

OVERVIEW

A broken authorization vulnerability via OAuth token cache.

DESCRIPTION

When there is a similar username in the primary user store and in a federated IDP, the same key for OAuth cache is generated irrespective of whether the authorized user is a federated user or not, if the Client ID and the requested scopes are the same.

IMPACT

As user identification is not unique when generating a cache key, primary user store user's cached data will be used for federated users or vice versa. Therefore, a malicious user in a federated IDP will be able to gain access to the secured resources of a user from primary user store.

SOLUTION

If you are using an affected product version, it is highly recommended to migrate to the latest released version to receive security fixes.

Otherwise, you may apply the relevant fixes to the product based on the public fix(s):

• https://github.com/wso2-extensions/identity-inbound-auth-oauth/pull/1102

Info

If you are a WSO2 customer with a support subscription, use WSO2 Update Manager(WUM) updates in order to apply the fix to the affected versions.