Security Advisory WSO2-2021-1509

Published: March 08, 2022

Version: 1.0.0

Severity: High

CVSS Score: 8.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L)


  • WSO2 API Manager : 4.0.0 , 3.2.0 , 3.1.0 , 3.0.0
  • WSO2 Identity Server : 5.11.0 , 5.10.0 , 5.9.0
  • WSO2 IS as Key Manager : 5.11.0 , 5.10.0 , 5.9.0
  • WSO2 IoT Server : 3.3.1
  • WSO2 Micro Integrator : 1.1.0 , 1.2.0


Intermediate Certificate Validation is skipped for SCIM2 endpoints by default Authorization bypass due to improper default configuration of Intermediate Certificate Validation on SCIM2 endpoints.


Due to the default configuration in WSO2 products, Intermediate Certificate Validation 1 is skipped for SCIM2 endpoints. When a valid CA signed certificate is used in invocations, it could be used to access resources irrespective of the privileges of the user.


In order to exploit this vulnerability, a malicious actor must have the private key of the Root CA, or a valid certificate signed by the Root CA and the associated private key. If such can be obtained, by leveraging this vulnerability, a malicious actor may invoke the SCIM2 endpoints. Such access could expose user information, and could cause confidentiality, integrity and availability impacts to targeted user records.


The recommended solution is to apply the following configuration that needs to be added into <Product_Home>/repository/conf/deployment.toml file under the [intermediate_cert_validation] tag.


NoteIntermediate certificate validation is skipped for SCIM2 endpoints by default. So you need to remove the default exempted SCIM2 context to overcome the vulnerability with the above configuration. Therefore if there is no explicit requirement, make exempt_contexts empty as shown above.