SECURITY ADVISORY CVE-2024-2321/WSO2-2024-3213¶
Published: November 10, 2024
Version: 1.0.0
Severity: Medium
CVSS Score: 5.6 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L)
AFFECTED PRODUCTS¶
- WSO2 API Manager : 4.2.0, 4.1.0, 4.0.0
- WSO2 Identity Server : 6.1.0, 6.0.0, 5.11.0
Info
Please note that this announcement includes only the product versions affected as per our backporting policy.
OVERVIEW¶
APIs can be accessed without the session cookies in the certain condition.
DESCRIPTION¶
Given the malicious actor has access to a valid refresh token of an admin user, due to the improper authorization check and token mapping, application’s protected APIs can be accessed without the session cookie.
IMPACT¶
This behavior could potentially allow a malicious actor to access the API resource if they obtain the refresh token of the admin through any means, especially considering that refresh tokens typically have a longer expiration time compared to access tokens.
SOLUTION¶
Commercial Users¶
Update your product to the specified update level—or a higher update level—to apply the fix.
Info
If you are a WSO2 customer with Support Subscription, please use WSO2 Updates in order to apply the fix.
| Product Name | Product Version | U2 Update Level |
|---|---|---|
| wso2am | 4.0.0 | 275 |
| wso2am | 4.1.0 | 153 |
| wso2am | 4.2.0 | 83 |
| wso2is | 5.11.0 | 326 |
| wso2is | 6.0.0 | 172 |
| wso2is | 6.1.0 | 130 |
For All Users¶
If applying the fix or update is not feasible, migrate to the latest unaffected version of the respective WSO2 product(s).