Security Advisory WSO2-2023-2850¶
Published: 2025-03-18
Updated: 2025-03-18
Version: 1.0.0
Severity: Medium
CVSS Score: 6.4 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N)
AFFECTED PRODUCTS¶
- WSO2 API Manager 3.2.0, 3.1.0
- WSO2 Identity Server 5.10.0
- WSO2 Identity Server as Key Manager 5.10.0
- WSO2 Open Banking AM 2.0.0
- WSO2 Open Banking IAM 2.0.0
OVERVIEW¶
Potential privilege escalation vulnerability.
DESCRIPTION¶
A user from a different tenant can log into a non SaaS application created under a different tenant, when the email as username feature is enabled and the application uses Email OTP as first factor authentication.
IMPACT¶
By exploiting this vulnerability, a malicious actor may gain access to an application that should not be accessible to them.
SOLUTION¶
Community Users (Open Source)¶
We highly recommend to migrate to the latest version of respective WSO2 products to mitigate the identified vulnerabilities.
Support Subscription Holders¶
Update your product to the specified update level—or a higher update level—to apply the fix.
Info
WSO2 Support Subscription Holders may use WSO2 Updates in order to apply the fix.
| Product | Version | U2 Update Level |
|---|---|---|
| WSO2 API Manager | 3.2.0 | 303 |
| WSO2 API Manager | 3.1.0 | 234 |
| WSO2 Identity Server | 5.10.0 | 247 |
| WSO2 Identity Server as Key Manager | 5.10.0 | 241 |
| WSO2 Open Banking AM | 2.0.0 | 274 |
| WSO2 Open Banking IAM | 2.0.0 | 292 |