User Impersonation Vulnerability in WSO2 Products
CVE-2023-6837

8.2HIGH

Key Information:

Vendor: WSO2
Status: WSO2 API Manager; WSO2 Identity Server; WSO2 IS as Key Manager; WSO2 Carbon Identity Application Authentication Endpoint(Utils)
Vendor: CVE Published:; 15 December 2023

What is CVE-2023-6837?

Multiple WSO2 products are susceptible to a user impersonation vulnerability due to inadequate controls during the Just-In-Time (JIT) provisioning process. This issue arises when an Identity Provider (IDP) is configured for federated authentication and JIT provisioning with specific user prompt settings. If an attacker possesses a freshly created valid user account in the IDP and knows the username of a legitimate user, they could exploit this vulnerability by leveraging the JIT provisioning flow to impersonate the authentic user. This highlights the importance of robust authentication measures and vigilant account management practices in preventing unauthorized access.

Affected Version(s)

WSO2 API Manager 2.5.0.0 < 2.5.0.32

WSO2 API Manager 2.6.0.0 < 2.6.0.52

WSO2 API Manager 3.0.0.0 < 3.0.0.50

References

https://security.docs.wso2.com/en/latest/security-announc...

vendor-advisory

CVSS V3.1

Score:

8.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 15, 2023
Vulnerability Reserved
Dec 15, 2023