Security Advisory WSO2-2023-2672¶
Published: 2026-05-03
Version: 1.0.0
Severity: Medium
CVSS Score: 5.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)
AFFECTED PRODUCTS¶
- WSO2 API Manager: 4.0.0, 3.2.0, 3.1.0
- WSO2 Identity Server as Key Manager: 5.10.0
- WSO2 Identity Server: 6.1.0, 6.0.0, 5.11.0, 5.10.0
- WSO2 Open Banking AM: 2.0.0
- WSO2 Open Banking IAM: 2.0.0
OVERVIEW¶
Open redirect vulnerability has been identified in the WS-Federation (Passive) STS logout flow.
DESCRIPTION¶
An open redirect vulnerability exists in the logout flow when WS-Federation (Passive) authentication is utilized for inbound authentication in a service provider.
IMPACT¶
By using social engineering techniques an attacker could persuade a user to click on a valid link (but with a malicious payload) and get the user redirected to an attacker controlled page where a phishing attack could be executed to obtain highly sensitive information or harm otherwise.
SOLUTION¶
Community Users (Open Source)¶
Migrate to the latest unaffected version of the respective WSO2 product(s).
Support Subscription Holders¶
Update your product to the specified update level, or to a higher update level, to mitigate the identified vulnerability.
Info
WSO2 Support Subscription Holders may use WSO2 Updates in order to apply the fix.
| Product Name | Product Version | Update Level |
|---|---|---|
| WSO2 API Manager | 4.0.0 | 333 |
| WSO2 API Manager | 3.2.0 | 317 |
| WSO2 API Manager | 3.1.0 | 244 |
| WSO2 Identity Server | 6.1.0 | 177 |
| WSO2 Identity Server | 6.0.0 | 223 |
| WSO2 Identity Server | 5.11.0 | 394 |
| WSO2 Identity Server | 5.10.0 | 258 |
| WSO2 Identity Server as Key Manager | 5.10.0 | 253 |
| WSO2 Open Banking AM | 2.0.0 | 289 |
| WSO2 Open Banking IAM | 2.0.0 | 307 |
Further, it is recommended to configure the wreply logout url in the service provider WS-Federation (Passive) configuration as given below.
Carbon Console > Service Provider > Inbound Authentication > WS-Federation> Passive STS WReply Logout URL
In addition, we have introduced the new config to enable the Logout wreply url validation in identity.xml file. However, it will be disabled as default. To enable it, go to the identity.xml file
which is located in <Product_Home>/repository/conf/identity/ and apply below given configuration.
<PassiveSTS>
.
.
<LogoutWreplyValidation>true</LogoutWreplyValidation>
</PassiveSTS>
In order to perform the validation, the wtrealm parameter must be sent with the logout request. The wtrealm will be used to identify the service provider which contains the configured wreply logout url.