Security Advisory WSO2-2020-0751

Published: January 11, 2021

Version: 1.0.0

Severity: High

CVSS Score: 7.7 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N)


AFFECTED PRODUCTS

  • WSO2 API Manager : 2.2.0 , 2.5.0 , 2.6.0 , 3.0.0 , 3.1.0 , 3.2.0
  • WSO2 API Microgateway : 2.2.0
  • WSO2 IS as Key Manager : 5.5.0 , 5.6.0 , 5.7.0 , 5.9.0 , 5.10.0
  • WSO2 Identity Server : 5.4.0 , 5.4.1 , 5.5.0 , 5.6.0 , 5.7.0 , 5.8.0 , 5.9.0 , 5.10.0

OVERVIEW

Improper validation of the parameters submitted during multi-option login.

DESCRIPTION

Identify Provider (IDP) name parameter submitted during multi-option login operations was not properly validated, which could lead to authenticating using an unintended identity-provider to an application.

IMPACT

This vulnerability has an impact only if; the system uses multi-option login, multiple identity-providers of the same type of federated authenticator (eg: SAML federated authenticator) are used, and at least one of those identity-providers are not associated with the application. In addition, the malicious external party should know an identity-provider name used in a different application, and knows a valid user-account at the desired identity-provider. If said pre-conditions are met, a malicious external party could force an unintended, yet same type authenticator, to be used during the multi-option login operation. This could lead to confidentiality, integrity and availability impact to the application, depending on the functionalities made available to the authenticated users.

SOLUTION

If you are using an affected product version, it is highly recommended to migrate to the latest released version to receive security fixes.

Otherwise, you may apply the relevant fixes to the product based on the public fix(s):

Info

If you are a WSO2 customer with a support subscription, use WSO2 Update Manager(WUM) updates in order to apply the fix to the affected versions.