SECURITY ADVISORY WSO2-2023-2808

Published: November 10, 2024

Version: 1.0.0

Severity: Medium

CVSS Score: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)


AFFECTED PRODUCTS

  • WSO2 API Manager : 4.1.0, 4.0.0, 3.2.0, 3.1.0, 3.0.0
  • WSO2 Identity Server : 5.11.0, 5.10.0, 5.9.0, 5.8.0
  • WSO2 Identity Server as Key Manager : 5.10.0, 5.9.0

OVERVIEW

Broken Authentication Vulnerability in REST API Endpoints.

DESCRIPTION

A malicious actor could manipulate the REST API path and bypass authentication checks relevant to some Rest APIs.

IMPACT

Considering the most critical REST API endpoint affected by this vulnerability, the successful exploitation could allow a malicious actor to impersonate and authenticate as a different targeted user (including an administrator, given the username of the administrator user is known to the malicious actor).

SOLUTION

We highly recommend to migrate the latest version of respective WSO2 products to mitigate the identified vulnerabilities.

Info

If you are a WSO2 customer with Support Subscription, please use WSO2 Updates in order to apply the fix.