

Security Advisory WSO2-2024-3472

Published: 2025-06-19

Version: 1.0.0

Severity: Not Applicable

CVSS Score: Not Applicable

---

AFFECTED PRODUCTS

• WSO2 API Manager: 3.1.0, 3.2.0, 3.2.1, 4.0.0, 4.2.0, 4.3.0
• WSO2 Enterprise Integrator: 6.6.0
• WSO2 Identity Server: 7.0.0, 6.1.0, 6.0.0, 5.11.0, 5.10.0
• WSO2 Identity Server as Key Manager: 5.10.0
• WSO2 Open Banking AM: 2.0.0
• WSO2 Open Banking IAM: 2.0.0

OVERVIEW

Essential security enhancements on the 'invite user' feature.

DESCRIPTION

The default user password creation algorithms will be enhanced in the user invite feature.

IMPACT

The implementation of these security enhancements significantly strengthens the overall protection and integrity of the product, mitigating potential vulnerabilities and ensuring a more robust defense against security threats.

SOLUTION

Community Users (Open Source)

Apply the relevant fixes to your product using the public fix(es) provided below.

• https://github.com/wso2/carbon-kernel/pull/4061
• https://github.com/wso2/carbon-identity-framework/pull/5891
• https://github.com/wso2/carbon-apimgt/pull/12526

If applying the fix or update is not feasible, migrate to the latest unaffected version of the respective WSO2 product(s).

Support Subscription Holders

Update your product to the specified update level or a higher update level to apply the fix.

Info

WSO2 Support Subscription Holders may use WSO2 Updates in order to apply the fix.

Product	Version	U2 Update Level
WSO2 API Manager	3.1.0	290
WSO2 API Manager	3.2.0	380
WSO2 API Manager	3.2.1	32
WSO2 API Manager	4.0.0	326
WSO2 API Manager	4.2.0	126
WSO2 API Manager	4.3.0	37
WSO2 Enterprise Integrator	6.6.0	212
WSO2 Identity Server	5.11.0	355
WSO2 Identity Server	5.10.0	315
WSO2 Identity Server	6.0.0	202
WSO2 Identity Server	6.1.0	176
WSO2 Identity Server	7.0.0	48
WSO2 Identity Server as Key Manager	5.10.0	309
WSO2 Open Banking AM	2.0.0	339
WSO2 Open Banking IAM	2.0.0	360