Security Advisory WSO2-2024-3149/CVE-2024-8122¶
Published: 2025-05-29
Version: 1.0.0
Severity: Medium
CVSS Score: 5.9 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
AFFECTED PRODUCTS¶
- WSO2 Identity Server: 6.1.0, 6.0.0, 5.11.0
OVERVIEW¶
Potential brute force vulnerability due to non-expiring SMS OTPs.
DESCRIPTION¶
The lack of a default expiry time for SMS OTPs in MFA allows them to remain valid indefinitely if unused, posing a security risk. This vulnerability could be exploited by a malicious actor to perform brute force attacks. To mitigate this risk, a default expiry period for SMS OTPs in MFA has been implemented.
IMPACT¶
The absence of automatic expiration for OTPs allows attackers unlimited time to guess the correct code, significantly increasing the risk of unauthorized access. A successful attack could result in an MFA bypass, leading to the complete takeover of the user’s account, thereby jeopardizing the security and privacy of both the affected user and the entire system.
SOLUTION¶
Community Users (Open Source)¶
We highly recommend to migrate to the latest version of respective WSO2 products to mitigate the identified vulnerabilities.
Support Subscription Holders¶
Update your product to the specified update level or a higher update level to apply the fix.
Info
WSO2 Support Subscription Holders may use WSO2 Updates in order to apply the fix.
| Product | Version | U2 Update Level |
|---|---|---|
| WSO2 Identity Server | 6.1.0 | 219 |
| WSO2 Identity Server | 6.0.0 | 227 |
| WSO2 Identity Server | 5.11.0 | 372 |
Please note after applied the fix The default SMS OTP expiration time is five minutes. It can be adjusted according to your business use case by updating the value of the 'TokenExpiryTime' configuration in the "
[authentication.authenticator.sms_otp.parameters]
...
TokenExpiryTime = 300
For more information, please refer to the product documentation [^1].