SECURITY ADVISORY CVE-2024-2321/WSO2-2024-3213¶
Published: November 10, 2024
Version: 1.0.0
Severity: Medium
CVSS Score: 5.6 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L)
AFFECTED PRODUCTS¶
- WSO2 API Manager : 4.2.0, 4.1.0, 4.0.0
- WSO2 Identity Server : 6.1.0, 6.0.0, 5.11.0
OVERVIEW¶
APIs can be accessed without the session cookies in the certain condition.
DESCRIPTION¶
Given the malicious actor has access to a valid refresh token of an admin user, due to the improper authorization check and token mapping, application’s protected APIs can be accessed without the session cookie.
IMPACT¶
This behavior could potentially allow a malicious actor to access the API resource if they obtain the refresh token of the admin through any means, especially considering that refresh tokens typically have a longer expiration time compared to access tokens.
SOLUTION¶
We highly recommend to migrate the latest version of respective WSO2 products to mitigate the identified vulnerabilities.
Info
If you are a WSO2 customer with Support Subscription, please use WSO2 Updates in order to apply the fix.