Security Advisory WSO2-2024-3217/CVE-2024-2323¶
Published: 2025-03-18
Updated: 2025-03-18
Version: 1.0.0
Severity: Medium
CVSS Score: 4.8 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N)
AFFECTED PRODUCTS¶
- WSO2 API Manager 4.3.0, 4.2.0, 4.1.0, 4.0.0, 3.2.0, 3.2.1, 3.1.0
- WSO2 Enterprise Integrator 6.6.0
- WSO2 Identity Server 7.0.0, 6.1.0, 6.0.0, 5.11.0, 5.10.0
- WSO2 Identity Server as Key Manager 5.10.0
- WSO2 Open Banking AM 2.0.0
- WSO2 Open Banking IAM 2.0.0
OVERVIEW¶
Potential password bruteforce vulnerability when RemoteUserStoreManagerService is enabled.
DESCRIPTION¶
Due to the improper validation, a malicious actor may carry out a password bruteforce attack when the 'password history validation’ feature is enabled with RemoteUserStoreManagerService.
IMPACT¶
Exploiting this vulnerability allows an attacker to potentially guess and discover the password of a targeted user account, enabling them to impersonate the victim. The probability of a successful attack is dependent on the password's complexity, with more intricate passwords reducing the chance of unauthorized access.
SOLUTION¶
Community Users (Open Source)¶
Apply the relevant fixes to your product using the public fix(es) provided below.
If applying the fix or update is not feasible, migrate to the latest unaffected version of the respective WSO2 product(s).
Support Subscription Holders¶
Update your product to the specified update level—or a higher update level—to apply the fix.
Once you apply the fix using one of the approaches mentioned above, we strongly recommend implementing reCAPTCHA or a rate-limiting mechanism, especially if you are exposing admin services like 'updateCredential' in a manner that allows end-user interaction.
Furthermore, we highly recommend not exposing any services that manage confidential information within the admin services mentioned in 1 to end users through any means.
Info
WSO2 Support Subscription Holders may use WSO2 Updates in order to apply the fix.
| Product | Version | U2 Update Level |
|---|---|---|
| WSO2 API Manager | 4.3.0 | 21 |
| WSO2 API Manager | 4.2.0 | 107 |
| WSO2 API Manager | 4.1.0 | 170 |
| WSO2 API Manager | 4.0.0 | 308 |
| WSO2 API Manager | 3.2.0 | 354 |
| WSO2 API Manager | 3.2.1 | 19 |
| WSO2 API Manager | 3.1.0 | 268 |
| WSO2 Enterprise Integrator | 6.6.0 | 204 |
| WSO2 Identity Server | 7.0.0 | 35 |
| WSO2 Identity Server | 6.1.0 | 150 |
| WSO2 Identity Server | 6.0.0 | 188 |
| WSO2 Identity Server | 5.11.0 | 344 |
| WSO2 Identity Server | 5.10.0 | 286 |
| WSO2 Identity Server as Key Manager | 5.10.0 | 283 |
| WSO2 Open Banking AM | 2.0.0 | 315 |
| WSO2 Open Banking IAM | 2.0.0 | 335 |