Security Advisory WSO2-2024-2753/CVE-2024-8995¶
Published: 2026-05-03
Version: 1.0.0
Severity: Medium
CVSS Score: 4.9 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N)
CVE IDs: CVE-2024-8995
AFFECTED PRODUCTS¶
- WSO2 API Control Plane: 4.6.0, 4.5.0
- WSO2 API Manager: 4.6.0, 4.5.0, 4.4.0, 4.3.0, 4.2.0, 4.1.0, 4.0.0, 3.2.1, 3.2.0, 3.1.0
- WSO2 Identity Server as Key Manager: 5.10.0
- WSO2 Identity Server: 6.1.0, 6.0.0, 5.11.0, 5.10.0
- WSO2 Open Banking AM: 2.0.0
- WSO2 Open Banking IAM: 2.0.0
- WSO2 Traffic Manager: 4.6.0, 4.5.0
- WSO2 Universal Gateway: 4.6.0, 4.5.0
OVERVIEW¶
Unused authorization codes issued to deleted users can still be used to obtain access tokens.
DESCRIPTION¶
Unused authorization codes issued to deleted users are not being removed. This allows malicious actors to claim access tokens on behalf of already deleted users.
IMPACT¶
Since unused authorization codes for deleted users are not removed a malicious actor could be able to claim access tokens on their behalf. This is possible only if the malicious actor has access to the authorization code client ID and the client secret. Given the above conditions are met this may lead to unauthorized access to sensitive resources and services depending on scopes authorized for the authorization code.
SOLUTION¶
Community Users (Open Source)¶
Apply the relevant fixes to your product using the public fix(es) provided below.
If applying the fix or update is not feasible, migrate to the latest unaffected version of the respective WSO2 product(s).
Support Subscription Holders¶
Update your product to the specified update level, or to a higher update level, to mitigate the identified vulnerability.
Info
WSO2 Support Subscription Holders may use WSO2 Updates in order to apply the fix.
| Product Name | Product Version | Update Level |
|---|---|---|
| WSO2 API Control Plane | 4.6.0 | 20 |
| WSO2 API Control Plane | 4.5.0 | 56 |
| WSO2 API Manager | 4.6.0 | 19 |
| WSO2 API Manager | 4.5.0 | 55 |
| WSO2 API Manager | 4.4.0 | 70 |
| WSO2 API Manager | 4.3.0 | 106 |
| WSO2 API Manager | 4.2.0 | 195 |
| WSO2 API Manager | 4.1.0 | 255 |
| WSO2 API Manager | 4.0.0 | 334 |
| WSO2 API Manager | 3.2.1 | 90 |
| WSO2 API Manager | 3.2.0 | 413 |
| WSO2 API Manager | 3.1.0 | 320 |
| WSO2 Identity Server | 6.1.0 | 208 |
| WSO2 Identity Server | 6.0.0 | 229 |
| WSO2 Identity Server | 5.11.0 | 395 |
| WSO2 Identity Server | 5.10.0 | 345 |
| WSO2 Identity Server as Key Manager | 5.10.0 | 338 |
| WSO2 Open Banking AM | 2.0.0 | 369 |
| WSO2 Open Banking IAM | 2.0.0 | 389 |
| WSO2 Traffic Manager | 4.6.0 | 19 |
| WSO2 Traffic Manager | 4.5.0 | 54 |
| WSO2 Universal Gateway | 4.6.0 | 19 |
| WSO2 Universal Gateway | 4.5.0 | 55 |