Security Advisory WSO2-2024-3414/CVE-2024-5617¶
Published: 2025-03-18
Updated: 2025-03-18
Version: 1.0.0
Severity: Medium
CVSS Score: 4.8 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N)
AFFECTED PRODUCTS¶
- WSO2 API Manager 4.3.0, 4.2.0, 4.1.0
- WSO2 Identity Server 7.0.0, 6.1.0, 6.0.0, 5.11.0
OVERVIEW¶
Potential brute force vulnerability due to the functional flaw in the account lock feature.
DESCRIPTION¶
Due to the functional flaw in the account lock feature, user accounts in the primary user store don't get locked upon reaching the maximum failed attempts, when users with the same username exist in both the primary and secondary user stores. Instead, only the user account in the secondary user store is locked.
IMPACT¶
Brute force attacks pose a significant risk to the security of the system. If successful, attackers can gain unauthorized access to sensitive information or accounts by systematically trying all possible combinations of usernames and passwords.
SOLUTION¶
Community Users (Open Source)¶
We highly recommend to migrate to the latest version of respective WSO2 products to mitigate the identified vulnerabilities.
Support Subscription Holders¶
Update your product to the specified update level—or a higher update level—to apply the fix.
Info
WSO2 Support Subscription Holders may use WSO2 Updates in order to apply the fix.
| Product | Version | U2 Update Level |
|---|---|---|
| WSO2 API Manager | 4.3.0 | 13 |
| WSO2 API Manager | 4.2.0 | 95 |
| WSO2 API Manager | 4.0.0 | 298 |
| WSO2 Identity Server | 7.0.0 | 33 |
| WSO2 Identity Server | 6.1.0 | 162 |
| WSO2 Identity Server | 6.0.0 | 194 |
| WSO2 Identity Server | 5.11.0 | 348 |