SECURITY ADVISORY WSO2-2022-1920¶
Published: June 20, 2024
Version: 1.0.0
Severity: Medium
CVSS Score: 6.1 (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N)
AFFECTED PRODUCTS¶
- WSO2 API Manager : 3.2.0 , 3.1.0 , 3.0.0
- WSO2 Identity Server : 5.10.0 , 5.9.0 , 5.8.0
- WSO2 Identity Server as Key Manager : 5.10.0 , 5.9.0
OVERVIEW¶
A partial authentication bypass vulnerability has been identified in the application authentication flow.
DESCRIPTION¶
When there are multiple steps configured for an application authentication flow, the current state of the authentication chain is maintained by a single value that gets passed as a parameter in the URLs of the redirects. If a malicious user is aware of this value, there is a low possibility of partially bypassing the authentication chain, given the malicious actor could obtain a response generated as a result of an earlier successful authentication step using person in the middle technique or other similar means.
IMPACT¶
If an attacker is able to obtain the state maintenance parameter value at some point in the application authentication chain, it is possible to bypass the already authenticated steps by the legitimate user and attempt the remaining steps in the chain.
SOLUTION¶
If the latest version of the affected WSO2 product is not mentioned under the affected product list, you may migrate to the latest version to receive security fixes. Otherwise you may apply the relevant fixes to the product based on the public fix:
- https://github.com/wso2/carbon-identity-framework/pull/3039
- https://github.com/wso2/identity-apps/pull/1124
In adition, it is highly recommended to apply the configuration changes suggested in 1 along with the provided updates.
Info
If you are a WSO2 customer with Support Subscription, please use WSO2 Updates in order to apply the fix.