Security Advisory WSO2-2024-3606/CVE-2024-7478¶
Published: 2025-03-18
Updated: 2025-03-18
Version: 1.0.0
Severity: Medium
CVSS Score: 5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)
AFFECTED PRODUCTS¶
- WSO2 API Manager: 4.3.0, 4.2.0, 4.1.0, 4.0.0, 3.2.1, 3.2.0, 3.1.0
- WSO2 Identity Server: 7.0.0, 6.1.0, 6.0.0, 5.10.0
- WSO2 Identity Server as Key Manager: 5.10.0
- WSO2 Open Banking AM: 2.0.0
- WSO2 Open Banking IAM: 2.0.0
OVERVIEW¶
Potential username enumeration vulnerability associated with external user stores.
DESCRIPTION¶
When a WSO2 product is configured with an external user store, usernames from the external user store may be enumerated by malicious actors through authentication attempts.
IMPACT¶
The discovery of valid usernames can increase the risk of brute force attacks, social engineering attacks, and information leakage. Attackers can use the list of usernames to craft targeted phishing emails or other social engineering attacks to trick users into divulging sensitive information. Moreover, the presence of username enumeration could damage the reputation of the organization responsible for the system and lead to loss of customer trust, regulatory non-compliance, and legal and financial consequences.
SOLUTION¶
Community Users (Open Source)¶
We highly recommend to migrate to the latest version of respective WSO2 products to mitigate the identified vulnerabilities.
Support Subscription Holders¶
Update your product to the specified update level—or a higher update level—to apply the fix.
Once you apply the fix using one of the approaches mentioned above, it is essential to implement the following configuration in the Deployment.toml file to mitigate the risk of a user enumeration vulnerability when showAuthFailureReason configuration is enabled.
[authentication.authenticator.basic.parameters]
maskUserNotExistsErrorCode = true
user does not exist to invalid credentials when authentication is attempted with an invalid username and password.
Further you will get an option to omission of parameters such as errorCode, failedUsername, remainingAttempts, and lockedReason from the error response even if showAuthFailureReason is set to true by adding the following configuration to the Deployment.toml.
[authentication.authenticator.basic.parameters]
errorParamsToOmit = ["errorCode,failedUsername,remainingAttempts,lockedReason"]
In addition, you can choose whether to lock the external user store's user account along with the WSO2 Identity Server user account. Please note that the WSO2 products also offer the external user store's account lock feature by default when account lock configurations are enabled in the external user store. However, this feature could be exploited by malicious actors to perform Denial of Service (DoS) attacks by exceeding the number of invalid login attempts, leading to account locks. By applying the configuration below in the Deployment.toml file, you can disable this feature. This is an independent configuration which can be used even when showAuthFailureReason is set to false.
[authentication_policy]
pre_authentication_account_lock_check = true
Info
WSO2 Support Subscription Holders may use WSO2 Updates in order to apply the fix.
| Product | Version | U2 Update Level |
|---|---|---|
| WSO2 API Manager | 3.1.0 | 310 |
| WSO2 API Manager | 3.2.0 | 401 |
| WSO2 API Manager | 3.2.1 | 26 |
| WSO2 API Manager | 4.0.0 | 318 |
| WSO2 API Manager | 4.1.0 | 180 |
| WSO2 API Manager | 4.2.0 | 119 |
| WSO2 API Manager | 4.3.0 | 30 |
| WSO2 Identity Server | 5.10.0 | 326 |
| WSO2 Identity Server | 6.0.0 | 214 |
| WSO2 Identity Server | 6.1.0 | 198 |
| WSO2 Identity Server | 7.0.0 | 67 |
| WSO2 Identity Server as Key Manager | 5.10.0 | 320 |
| WSO2 Open Banking AM | 2.0.0 | 351 |
| WSO2 Open Banking IAM | 2.0.0 | 371 |