Security Advisory WSO2-2024-3179/CVE-2024-1248¶
Published: 2026-05-03
Version: 1.0.0
Severity: Medium
CVSS Score: 4.8 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L)
CVE IDs: CVE-2024-1248
AFFECTED PRODUCTS¶
- WSO2 API Manager: 4.1.0, 4.0.0, 3.2.0, 3.1.0, 3.0.0
- WSO2 Identity Server as Key Manager: 5.10.0, 5.9.0
- WSO2 Identity Server: 5.11.0, 5.10.0, 5.9.0, 5.8.0
- WSO2 Open Banking AM: 2.0.0
- WSO2 Open Banking IAM: 2.0.0
OVERVIEW¶
User roles can be overwritten when using federated authentication with Silent JIT Provisioning.
DESCRIPTION¶
When the silent Just-In-Time Provisioning feature is enabled for a federated identity provider (IDP) there is a risk that user roles within the local user store may be replaced during the account provisioning process in cases where federated users share the same username as local users.
IMPACT¶
For the described vulnerability to be exploited several specific conditions must align: - A federated identity provider (IDP) must be set up for federated authentication with Just-In-Time (JIT) provisioning enabled and configured for "Silent Provisioning" via an IDP in which attacker can freely create user accounts (ex: public IDPs such as Google). - The attacker needs the username of a targeted valid user in the local IDP system.
Once these prerequisites are in place a malicious individual can leverage the JIT provisioning process to modify the roles of local users. It is important to note that any changes to the local user's roles are limited to the roles defined within the federated IDP. Typically roles assigned to federated users grant minimal access rights unless the federated IDP's administrator deliberately assigns roles with more extensive privileges to these users.
SOLUTION¶
Community Users (Open Source)¶
Migrate to the latest unaffected version of the respective WSO2 product(s).
Support Subscription Holders¶
Update your product to the specified update level, or to a higher update level, to mitigate the identified vulnerability.
Info
WSO2 Support Subscription Holders may use WSO2 Updates in order to apply the fix.
| Product Name | Product Version | Update Level |
|---|---|---|
| WSO2 API Manager | 4.1.0 | 169 |
| WSO2 API Manager | 4.0.0 | 269 |
| WSO2 API Manager | 3.2.0 | 351 |
| WSO2 API Manager | 3.1.0 | 267 |
| WSO2 API Manager | 3.0.0 | 153 |
| WSO2 Identity Server | 5.11.0 | 321 |
| WSO2 Identity Server | 5.10.0 | 284 |
| WSO2 Identity Server | 5.9.0 | 138 |
| WSO2 Identity Server | 5.8.0 | 101 |
| WSO2 Identity Server as Key Manager | 5.10.0 | 280 |
| WSO2 Identity Server as Key Manager | 5.9.0 | 148 |
| WSO2 Open Banking AM | 2.0.0 | 313 |
| WSO2 Open Banking IAM | 2.0.0 | 333 |