Security Advisory WSO2-2025-3134/CVE-2025-0672¶
Published: 2025-06-19
Version: 1.0.0
Severity: Low
CVSS Score: 3.3 (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N)
CVE IDs: CVE-2025-0672
AFFECTED PRODUCTS¶
- WSO2 Identity Server: 5.11.0, 5.10.0
- WSO2 Identity Server as Key Manager: 5.10.0
- WSO2 Open Banking IAM: 2.0.0
OVERVIEW¶
Potential users impersonate vulnerabilities when the deployment supports FIDO authentication.
DESCRIPTION¶
User accounts associated with Fast Identity Online (FIDO) registered devices are not automatically removed when the corresponding user account is deleted. However, this vulnerability applies only to deployments that utilize FIDO authentication.
IMPACT¶
If FIDO authentication is utilized in a deployment, when a new user account is created using a previously used username, the system may automatically associate the account with a FIDO device registered by the previous user. This could allow the previous user to impersonate the newly created account.
SOLUTION¶
Community Users (Open Source)¶
We highly recommend to migrate to the latest version of respective WSO2 products to mitigate the identified vulnerabilities.
Support Subscription Holders¶
Update your product to the specified update level or a higher update level to apply the fix.
Info
WSO2 Support Subscription Holders may use WSO2 Updates in order to apply the fix.
| Product | Version | U2 Update Level |
|---|---|---|
| WSO2 Identity Server | 5.11.0 | 394 |
| WSO2 Identity Server | 5.10.0 | 345 |
| WSO2 Identity Server as Key Manager | 5.10.0 | 338 |
| WSO2 Open Banking IAM | 2.0.0 | 389 |