Security Advisory WSO2-2022-2101

Published: June 15, 2023

Version: 1.0.0

Severity: Low

CVSS Score: 2.3 (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N)


  • WSO2 API Manager : 4.1.0 , 4.0.0 , 3.2.0 , 3.1.0 , 3.0.0
  • WSO2 IS as Key Manager : 5.10.0 , 5.9.0
  • WSO2 Identity Server : 6.0.0 , 5.11.0 , 5.10.0 , 5.9.0 , 5.8.0


Potential broken access control vulnerability.


Identity claim data are retrieved from the user store if the identity data store does not have a value for the claim. This would happen when the JDBCIdentityDataStore is configured as the Identity data store.


By leveraging the identified vulnerability, The user store administrator can manipulate certain account related functionalities.


If the latest version of the affected WSO2 product is not mentioned under the affected product list, you may migrate to the latest version to receive security fixes. Otherwise you may apply the relevant fixes to the product based on the public fix:

Further, If you are not using above mentioned behavior intentionally, please follow the below steps:

  • Apply the provided patch/update to the affected versions of the products.
  • Add the following configuration to deployment.toml file.
    [event.default_listener.governance_identity_store] enable_hybrid_data_store = false


If you are a WSO2 customer with Support Subscription, please use WSO2 Updates in order to apply the fix.