SECURITY ADVISORY CVE-2024-2321/WSO2-2024-3213

Published: November 10, 2024

Version: 1.0.0

Severity: Medium

CVSS Score: 5.6 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L)


AFFECTED PRODUCTS

  • WSO2 API Manager : 4.2.0, 4.1.0, 4.0.0
  • WSO2 Identity Server : 6.1.0, 6.0.0, 5.11.0

OVERVIEW

APIs can be accessed without the session cookies in the certain condition.

DESCRIPTION

Given the malicious actor has access to a valid refresh token of an admin user, due to the improper authorization check and token mapping, application’s protected APIs can be accessed without the session cookie.

IMPACT

This behavior could potentially allow a malicious actor to access the API resource if they obtain the refresh token of the admin through any means, especially considering that refresh tokens typically have a longer expiration time compared to access tokens.

SOLUTION

We highly recommend to migrate the latest version of respective WSO2 products to mitigate the identified vulnerabilities.

Info

If you are a WSO2 customer with Support Subscription, please use WSO2 Updates in order to apply the fix.