SECURITY ADVISORY WSO2-2023-2972¶
Published: December 16, 2024
Version: 1.0.0
Severity: Low
CVSS Score: 3.1 (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N)
AFFECTED PRODUCTS¶
- WSO2 API Manager : 4.3.0, 4.2.0, 4.1.0, 4.0.0, 3.2.1, 3.2.0
- WSO2 Identity Server : 7.0.0, 6.1.0, 6.0.0, 5.11.0, 5.10.0
- WSO2 Identity Server as Key Manager : 5.10.0
OVERVIEW¶
Potential open redirection vulnerability has been identified in the Logout flow.
DESCRIPTION¶
Due to the lack of validation in the logout url parameter, users could be redirected to the attacker control environment after the logging out.
IMPACT¶
During the logout flow, users may be redirected to an attacker-controlled page, where a phishing attack could be executed to obtain sensitive information or cause harm. However, this is only possible under specific preconditions.
SOLUTION¶
If the latest version of the affected WSO2 product is not mentioned under the affected product list, you may migrate to the latest version to receive security fixes. Otherwise you may apply the relevant fixes to the product based on the public fix:
Further, It is required to add the below configuration lines into the deployment.toml
file for enabling logout flow redirection URL validation, along with given public PR.
[common_auth_caller_path]
enable_common_auth_caller_path_validation=true
[common_auth_caller_path]
enable_common_auth_caller_path_validation=true
default_url=""
Moreover, to set the logout flow redirection URL validation value, add the respective URL or Regex information to the 'Logout Return URL or regex' parameter on the Management console under the following location: Management Console > Identity > Service Providers > Basic Information > Logout Return URL or regex
Info
If you are a WSO2 customer with Support Subscription, please use WSO2 Updates in order to apply the fix.