

Security Advisory WSO2-2021-1438

Published: April 01, 2022

Version: 1.0.0

Severity: Medium

CVSS Score: 5.4 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N)

---

AFFECTED PRODUCTS

• WSO2 API Manager : 3.1.0 , 3.2.0 , 4.0.0

OVERVIEW

Existing JWT access tokens are not revoked when a new access token is generated.

DESCRIPTION

When a new JWT access token is created for a combination of application, user, and scopes, existing access tokens related to that combination are not revoked and they will be valid until they expire. Due to this behaviour, users will not be able to revoke such already issued access tokens until they expire.

IMPACT

The impact could occur when a user needs to revoke a compromised JWT access token. Due to the vulnerability, since old JWT tokens are not revoked, the malicious actor may still use such tokens to gain access to resources in the resource server. The Confidentiality and Integrity impact of that vulnerability would vary on the sensitivity of those resources in the resource server. However, since this requires obtaining an active JWT access token, the attack complexity is high.

SOLUTION

If the latest version of the affected WSO2 product is not mentioned under the affected product list, you may migrate to the latest version to receive security fixes.

Otherwise, you may apply the relevant fixes to the product based on the public fix(s):

• https://github.com/wso2-extensions/identity-inbound-auth-oauth/pull/1647

Info

If you are a WSO2 customer with a support subscription, use WSO2 Updates in order to apply the fix.