

Security Advisory WSO2-2024-3436/CVE-2024-5563

Published: 2025-03-18

Updated: 2025-03-18

Version: 1.0.0

Severity: Medium

CVSS Score: 4.8 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N)

---

AFFECTED PRODUCTS

• WSO2 Identity Server 7.0.0

OVERVIEW

Incomplete reCaptcha implementation in certain flows leading to brute forcing the user credentials.

DESCRIPTION

Due to the improper implementation of reCaptcha, it will not be added to certain flows even when the reCaptcha option is enabled. This may lead to brute force attacks.

IMPACT

Brute force attacks pose a significant risk to the security of the system. If successful, attackers can gain unauthorized access to sensitive information or accounts by systematically trying all possible combinations of usernames and passwords.

SOLUTION

Community Users (Open Source)

Apply the relevant fixes to your product using the public fix(es) provided below.

• https://github.com/wso2/identity-apps/pull/6465

If applying the fix or update is not feasible, migrate to the latest unaffected version of the respective WSO2 product(s).

Support Subscription Holders

Update your product to the specified update level—or a higher update level—to apply the fix.

Info

WSO2 Support Subscription Holders may use WSO2 Updates in order to apply the fix.

Product	Version	U2 Update Level
WSO2 Identity Server	7.0.0	37