

Security Advisory WSO2-2021-1646

Published: March 08, 2022

Version: 1.0.0

Severity: Medium

CVSS Score: 5.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)

---

AFFECTED PRODUCTS

• WSO2 API Manager : 4.0.0 , 3.2.0 , 3.1.0 , 3.0.0 , 2.6.0 , 2.5.0 , 2.2.0
• WSO2 Identity Server : 5.11.0 , 5.10.0 , 5.9.0 , 5.8.0 , 5.7.0 , 5.6.0 , 5.5.0 , 5.4.1
• WSO2 IoT Server: 3.3.1

OVERVIEW

A potential open redirection vulnerability in callback URL.

DESCRIPTION

The WSO2 Secure Deployment guide recommended regex callback URI validation is vulnerable to potential open redirection vulnerability.

IMPACT

By using social engineering techniques, an attacker could persuade a user to click on a valid link (but with a malicious payload) and get the user redirected to an attacker controlled page where a phishing attack could be executed to obtain highly sensitive information or harm otherwise.

SOLUTION

In order to mitigate the identified vulnerability, It is highly recommended to apply the below given configuration into the following function following path.

Service Provider > Add/Edit Service Provider > Inbound Authentication Configuration > OAuth/OpenIDConnect Configuration > Configure

Callback URL => regexp=(https://((example1\.com)|(example2:8000))(/callback))

Here example1 and example2 are sample URLs

Moreover, the product documentation is updated with the corrected configuration samples.

CREDITS

WSO2 thanks, Điện Phạm for responsibly reporting the identified issue and working with us as we addressed it.