SECURITY ADVISORY WSO2-2023-2784

Published: November 10, 2024

Version: 1.0.0

Severity: Medium

CVSS Score: 6.4 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N)


AFFECTED PRODUCTS

  • WSO2 Identity Server : 5.11.0 , 5.10.0
  • WSO2 Identity Server as Key Manager : 5.10.0

OVERVIEW

Improper validation in the OAuth2 Device Grant Type.

DESCRIPTION

Due to the lack of validation in the clientID, an Access Token can be obtained from a different Service Provider that enables the OAuth2 device grant type with a valid device code. However, a device code cannot be used to obtain multiple Access Tokens.

IMPACT

This vulnerability allows unauthorized access to sensitive resources across different Service Providers, potentially leading to unauthorized data exposure, data manipulation, or other malicious activities when the device credential grant type is enabled.

SOLUTION

We highly recommend to migrate the latest version of respective WSO2 products to mitigate the identified vulnerabilities.

Info

If you are a WSO2 customer with Support Subscription, please use WSO2 Updates in order to apply the fix.