User Impersonation Vulnerability in WSO2 Products
CVE-2023-6837

8.5HIGH

Key Information:

Vendor: Wso2
Status: Wso2 Api Manager; Wso2 Identity Server; Wso2 Identity Server As Key Manager; Wso2 Carbon Identity Application Authentication Framework
Vendor: CVE Published:; 15 December 2023

What is CVE-2023-6837?

Multiple WSO2 products are susceptible to a user impersonation vulnerability due to inadequate controls during the Just-In-Time (JIT) provisioning process. This issue arises when an Identity Provider (IDP) is configured for federated authentication and JIT provisioning with specific user prompt settings. If an attacker possesses a freshly created valid user account in the IDP and knows the username of a legitimate user, they could exploit this vulnerability by leveraging the JIT provisioning flow to impersonate the authentic user. This highlights the importance of robust authentication measures and vigilant account management practices in preventing unauthorized access.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

WSO2 API Manager 2.5.0 < 2.5.0.32

WSO2 API Manager 2.6.0 < 2.6.0.52

WSO2 API Manager 3.0.0 < 3.0.0.50

References

https://security.docs.wso2.com/en/latest/security-announc...

vendor-advisory

CVSS V3.1

Score:

8.5

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Dec 15, 2023
Vulnerability Reserved
Dec 15, 2023

JSON

Wso2