SECURITY ADVISORY WSO2-2023-2784¶
Published: November 10, 2024
Version: 1.0.0
Severity: Medium
CVSS Score: 6.4 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N)
AFFECTED PRODUCTS¶
- WSO2 Identity Server : 5.11.0 , 5.10.0
- WSO2 Identity Server as Key Manager : 5.10.0
OVERVIEW¶
Improper validation in the OAuth2 Device Grant Type.
DESCRIPTION¶
Due to the lack of validation in the clientID, an Access Token can be obtained from a different Service Provider that enables the OAuth2 device grant type with a valid device code. However, a device code cannot be used to obtain multiple Access Tokens.
IMPACT¶
This vulnerability allows unauthorized access to sensitive resources across different Service Providers, potentially leading to unauthorized data exposure, data manipulation, or other malicious activities when the device credential grant type is enabled.
SOLUTION¶
We highly recommend to migrate the latest version of respective WSO2 products to mitigate the identified vulnerabilities.
Info
If you are a WSO2 customer with Support Subscription, please use WSO2 Updates in order to apply the fix.