SECURITY ADVISORY WSO2-2023-2577

Published: May 31, 2024

Version: 1.0.0

Severity: Medium

CVSS Score: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)


AFFECTED PRODUCTS

  • WSO2 API Manager : 4.2.0 , 4.1.0 , 4.0.0 , 3.2.0 , 3.1.0 , 3.0.0
  • WSO2 IS as Key Manager : 5.10.0 , 5.9.0
  • WSO2 Identity Server : 6.1.0 , 6.0.0 , 5.11.0 , 5.10.0 , 5.9.0 , 5.8.0

OVERVIEW

Potential username enumeration in self registration flow.

DESCRIPTION

Product provided reCaptcha 1 validation to prevent possibility of username enumeration. Even when reCaptcha validation is enabled, due to the absence of a validation in the check available username feature executed during the self-registration flow, a malicious actor could exploit this feature and harvest information about users who have already registered.

IMPACT

The discovery of valid usernames can increase the risk of brute force attacks, social engineering attacks, and information leakage. Attackers can use the list of usernames to craft targeted phishing emails or other social engineering attacks to trick users into divulging sensitive information. Moreover, the presence of username enumeration could damage the reputation of the organization responsible for the system and lead to loss of customer trust, regulatory non-compliance, and legal and financial consequences.

SOLUTION

If the latest version of the affected WSO2 product is not mentioned under the affected product list, you may migrate to the latest version to receive security fixes. Otherwise you may apply the relevant fixes to the product based on the public fix:

Info

If you are a WSO2 customer with Support Subscription, please use WSO2 Updates in order to apply the fix.

References