Security Advisory WSO2-2021-1605¶
Published: March 08, 2022
Version: 1.0.0
Severity: High
CVSS Score: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N)
AFFECTED PRODUCTS¶
- WSO2 API Manager : 4.0.0 , 3.2.0 , 3.1.0 , 3.0.0
- WSO2 IS as Key Manager : 5.10.0 , 5.9.0
- WSO2 Identity Server : 5.11.0 , 5.10.0 , 5.9.0 , 5.8.0
OVERVIEW¶
Potential unauthorized profile update vulnerability in federated authentication with JIT provisioning when specific configurations are enabled.
DESCRIPTION¶
For this vulnerability to have any impact on your deployment, the following conditions must be met: * An IDP configured for federated authentication and JIT provisioning enabled with the "Prompt for username, password, and consent" option.
The malicious actor should have: * Knowledge of the username of a valid user in the local IDP. In addition, the malicious actor should have an email address that must have the targeted user's username as an email prefix (<usernameOfTargetUserAccount>@mail.com).
When all preconditions are met, a malicious actor could use JIT provisioning flow to change the victim's user profile information.
IMPACT¶
There is no impact on your deployment if all the preconditions mentioned in the description section are not met. Only if all mentioned preconditions in the description section are met, a malicious actor could update a targeted local user account's email address with a federated IDP user account.
However, it can be converted as an account takeover attack when the password recovery is enabled in the vulnerable deployment.
SOLUTION¶
If the latest version of the affected WSO2 product is not mentioned under the affected product list, you may migrate to the latest version to receive security fixes.
Otherwise, you may apply the relevant fixes to the product based on the public fix(s):
Info
If you are a WSO2 customer with a support subscription, use WSO2 Updates in order to apply the fix.
CREDITS¶
WSO2 thanks, Trình. Mai Công for responsibly reporting the identified issue and working with us as we addressed it.