Security Advisory WSO2-2021-1438

Published: April 01, 2022

Version: 1.0.0

Severity: Medium

CVSS Score: 5.4 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N)


  • WSO2 API Manager : 3.1.0 , 3.2.0 , 4.0.0


Existing JWT access tokens are not revoked when a new access token is generated.


When a new JWT access token is created for a combination of application, user, and scopes, existing access tokens related to that combination are not revoked and they will be valid until they expire. Due to this behaviour, users will not be able to revoke such already issued access tokens until they expire.


The impact could occur when a user needs to revoke a compromised JWT access token. Due to the vulnerability, since old JWT tokens are not revoked, the malicious actor may still use such tokens to gain access to resources in the resource server. The Confidentiality and Integrity impact of that vulnerability would vary on the sensitivity of those resources in the resource server. However, since this requires obtaining an active JWT access token, the attack complexity is high.


If the latest version of the affected WSO2 product is not mentioned under the affected product list, you may migrate to the latest version to receive security fixes.

Otherwise, you may apply the relevant fixes to the product based on the public fix(s):


If you are a WSO2 customer with a support subscription, use WSO2 Updates in order to apply the fix.